A report from The Financial Times this afternoon details a vulnerability in WhatsApp that allowed attackers to inject Israeli spyware onto phones. The malicious code was developed by the Israeli company NSO Group and transmitted by calling users via WhatsApp on iOS and Android.
The malicious code could be transmitted even if a user did not answer the WhatsApp call, the report explains. In many cases, the call would disappear from call logs, so it’s possible that users could have been targeted and not even realize it.
Many details about the vulnerability remain unclear, but the report suggests that the loophole was open for several weeks. In a statement, WhatsApp said:
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said. “We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.”
According to the report, WhatsApp is too early into its own investigations of the attack to “estimate how many phones were targeted.” WhatsApp is used by over 1.5 billion worldwide and is owned by Facebook.
WhatsApp reportedly disclosed the issue to the United States Department of Justice last week, and started deploying a fix to its servers on Friday. Engineers worked through Sunday before deploying a patch for customers today, the report says.
NSO Group develops tools such as Pegasus and markets them to governments around the world as a way to fight terrorism and crime. In a statement to The Financial Times, it said that it “would, or could not, use its technology in its own right to target any person or organization.”
You can read the full report from The Financial Times here.