A report from The Financial Times details a vulnerability in WhatsApp that allowed attackers to install Israeli spyware onto phones via the app’s call feature.
The sophisticated spyware, called Pegasus, was developed by Israeli company NSO Group and transmitted by calling users via WhatsApp on iOS and Android.
The software could be installed on Android and iPhone handsets simply by calling the targeted person through WhatsApp. It could be injected even if a user did not answer the WhatsApp call. In many cases, call logs would even disappear from the target’s device, erasing any evidence that their phone had been tampered with.
Many details about the vulnerability remain unclear, but the report suggests that the loophole was open for several weeks. In a statement, WhatsApp said:
This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said. “We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.
WhatsApp said it’s still investigating the matter and it was too early to say how many users had been impacted by the spyware, suggesting only that it was a “select number” of people. WhatsApp reportedly disclosed the issue to the United States Department of Justice last week, and started deploying a fix to its servers on Friday.
WhatsApp told users to check that they’re running the latest version of the app on their devices. It also advised users to make sure their mobile operating system is up to date to ensure proper protection against potential targeted exploits designed to access information stored on mobile devices.
The Pegasus spyware is usually licensed to governments who use it to gain access to the devices of individuals targeted in investigations.
In a statement, NSO Group said its technology is used by “authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions.”
The company said it always investigates any “credible allegations of misuse and if necessary, we take action, including shutting down the system.”
It added: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organization.”
Read the full report from The Financial Times here.