WhatsApp exploit allowed spyware to be installed via voice call

Image: Fabian Sommer/picture alliance via Getty Image

A WhatsApp vulnerability allowed attackers to remotely install spyware onto phones — by simply calling them.

First reported by the Financial Times and confirmed by WhatsApp, the issue was discovered in early May and was promptly fixed by the company.

The Facebook-owned messaging service said it believed certain users were targeted through the vulnerability by an advanced cyber actor. 

As noted by the Financial Times, the spyware was developed by the Israeli cyber intelligence firm NSO Group. The malicious code could be inserted via a voice call, even if the recipient didn’t answer their phone, and the call would disappear from logs.

In a statement, WhatsApp did not name the NSO Group, but said the attack was representative of a private company which works with governments to create spyware for mobile devices.  

The messaging company said it has briefed human rights organisations on the finding, and notified U.S. law enforcement to help them conduct an investigation. 

WhatsApp said it made changes to its infrastructure last week to prevent the attack from happening, and issued an update for its app.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a WhatsApp spokesperson said in a statement. 

“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”

The NSO Group is behind a spyware product called Pegasus, which allows operators to take control of a target’s phone, allowing them to switch on a phone’s camera and a microphone, as well as retrieve private data.

Human rights organisation Amnesty International is behind legal action to revoke the NSO Group’s export licence in Israel, after an Amnesty staff member was targeted last August by Pegasus.

“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” Danna Ingleton, deputy director of Amnesty Tech, said in a statement.