Facebook-run WhatsApp has discovered a vulnerability that exploited the messaging app to allow attackers to install spyware on phones and snoop on users by accessing their phones's operating system. The spyware developed by Israel’s secretive NSO group, can be installed without trace and without the target answering the call, confirmed WhatsApp.
The vulnerability was first reported by the Financial Times and has been fixed in the latest WhatsApp update.
Attackers were able to install the surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. Once installed, the spyware can turn on a phone’s camera and mic, scan emails and messages, and collect the user’s location data.
The malicious code could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, the Financial Times quoted the spyware dealer as saying.
WhatsApp is investigating the vulnerability; however, it is yet to be clear how many users were targeted using the spyware. Upon the discovery, WhatsApp scrambled to fix it, rolling out an update in less than 10 days, the FT report claimed.
The NSO Group came to prominence in 2016 when researchers accused it of helping spy on an activist in the United Arab Emirates. NSO’s flagship product is Pegasus, a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data.
Reports said that WhatsApp has briefed human rights organisations on the matter, but did not identify them.