Messaging service WhatsApp has urged all its 1.5 billion users around the world to update their app after it discovered a vulnerability that allowed hackers to insert targeted surveillance malware onto users' mobile devices.
The Facebook-owned service said the attack was conducted by an "advanced cyber actor" and had been targeted specifically at certain users.
It worked by using the app's voice calling function to initiate a phone call to the target's device. This then allowed them to install spyware onto the phone, which could give the attacker full visibility into the phone's usage, including reading messages, viewing contacts and even activating the camera.
Because the call did not have to be answered for the spyware to be installed, and the fact that it could also delete any log of the call from WhatsApp's records, users would have no idea they had been compromised, and would not have been able to do anything about it.
The spyware has been identified as being developed by Israeli security firm NSO Group, according to a report in the Financial Times. The newspaper noted the company's flagship product is called Pegasus, and is able to turn on a phone's microphone and camera, trawl through emails and messages and collect location data.
NSO Group markets the software to intelligence agencies as a tool to help governments fight terrorism and crime.
In a statement, WhatsApp said: "The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems."
The messaging service added it had alerted the US Department of Justice to the issue last week, and its engineers have been working to develop a fix for the vulnerability, which was made available to customers on Monday (May 13th).
NSO Group has also issued a statement, stressing that it is not involved in the operation of the technology it sells, and has a rigorous vetting process for its customers.