A group of hackers exploited a flaw in the WhatsApp messaging app to install surveillance tools on an unknown number of users’ phones, The Financial Times reported Monday.
The publication identified the hackers as an Israeli cyberintelligence company known as NSO Group. WhatsApp said the group has "all the hallmarks of a private company known to work with governments to deliver spyware."
“We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society,” WhatsApp told the Financial Times, adding that it disclosed the issue to the Justice Department last week.
The hackers were able to install spyware on users’ phones simply by calling them. A user’s device could be injected with the spyware even if they missed the call, and often, the call would disappear from the phone’s call log.
Once installed, the surveillanceware is capable of turning on a phone’s camera and microphone, scanning emails and messages, and collecting the user’s location data.
Vulnerability fixed in latest update
Facebook said in a security advisory that the WhatsApp hack stemmed from a “buffer overflow” attack.
“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number,” according to the advisory.
“The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.,” the advisory continued.
The Facebook-owned messaging service released a patch for the security vulnerability on Monday and is urging users to upgrade to the latest version of the app.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” WhatsApp said in a statement. “We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”