Messaging service WhatsApp has urged all its 1.5 billion users around the world to update their app after it discovered a vulnerability that allowed hackers to insert targeted surveillance malware onto users' mobile devices.
The Facebook-owned service said the attack was conducted by an "advanced cyber actor" and had been targeted specifically at certain users.
It worked by using the app's voice calling function to initiate a phone call to the target's device. This then allowed them to install spyware onto the phone, which could give the attacker full visibility into the phone's usage, including reading messages, viewing contacts and even activating the camera.
Because the call did not have to be answered for the spyware to be installed, and the fact that it could also delete any log of the call from WhatsApp's records, users would have no idea they had been compromised, and would not have been able to do anything about it.
The spyware has been identified as being developed by Israeli security firm NSO Group, according to a report in the Financial Times. The newspaper noted the company's flagship product is called Pegasus, and is able to turn on a phone's microphone and camera, trawl through emails and messages and collect location data.
NSO Group markets the software to intelligence agencies as a tool to help governments fight terrorism and crime.
In a statement, WhatsApp said: "The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems."
The messaging service added it had alerted the US Department of Justice to the issue last week, and its engineers have been working to develop a fix for the vulnerability, which was made available to customers on Monday (May 13th).
NSO Group has also issued a statement, stressing that it is not involved in the operation of the technology it sells, and has a rigorous vetting process for its customers.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.