WhatsApp users must update their app now as a bug in the app’s audio call feature allowed hackers to install spyware onto Android and iOS phones just by calling the target.
The spyware was allegedly developed by the Israeli cyber intelligence company NSO Group, the Financial Times late on Monday.
While it’s not known how many users were affected by the attack, WhatsApp estimates the numbers to be small. The vulnerability leveraged a bug in WhatsApp’s audio call feature, facilitating the installation of spyware on the device being called whether the call was answered or not.
WhatsApp said it has fixed the vulnerability that was discovered last month.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up-to-date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the company said in a statement.
Experts also urged users to update the app to avoid spyware on their phone. “There’s a good chance your app’s already updated itself, but this is a serious vulnerability. We advise you to check all the same,” said Sunil Sharma, Managing Director, Sales, India and Saarc, Sophos, a cybersecurity firm.
The Israel-based NSO Group works for the government, looking to infect targets of investigations and gain access to various aspects of their devices.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” the WhatsApp statement read, without mentioning the NSO Group.
NSO Group told the Financial Times: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies”.
“NSO would not or could not use its technology in its own right to target any person or organisation,” the company said.
NSO limits sales of its spyware called Pegasus to state intelligence agencies and others. The software has the ability to collect intimate data from a target device.