WhatsApp and the National Cyber Security Centre (NCSC) have urged users to update their messaging app after it was revealed that hackers could inject spy software on to phones via the call function.
The Facebook-owned company said the spyware was spread by an “advanced cyber actor”, and infected multiple mobile phones using a major vulnerability in the app.
The spyware, developed by the secretive Israeli spyware company NSO Group, has the ability to give hackers full access to a phone remotely, allowing them to read messages, see contacts and activate the camera.
WhatsApp confirmed that a “select number” of users had been victims and that the bug and that the bug affects all but the latest version of the app on iOS and Android.
A WhatsApp spokesman said the flaw was discovered while “our team was putting some additional security enhancements to our voice calls” and that engineers found that people targeted for infection “might get one or two calls from a number that is not familiar to them. In the process of calling, this code gets shipped”.
“We are deeply concerned about the abuse of such capabilities,” WhatsApp said in a statement.
The attack involved cyber hackers using WhatsApp’s voice calling function to ring a device. The surveillance software would then be installed, even if that call was not picked up.
The National Cyber Security Centre, the cyber arm of GCHQ, warned WhatsApp users about the vulnerability and urged them to update their apps.
“It’s important to apply these updates quickly, to make it as hard as possible for attackers to get in,”
The vulnerability was also used to target a researcher at Amnesty International, which is fighting for the NSO Group to have its export license withdrawn by Israeli government.
WhatsApp said that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability. It began rolling out a fix to its servers on Friday last week, WhatsApp said, and issued a patch for customers on Monday.
NSO said it had carefully vetted customers and investigated any abuse. Asked about the WhatsApp attacks, NSO said it was investigating the issue.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said.
“NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer].”
What app versions have been affected?
WhatsApp have said that it was a targeted campaign and that “dozens” of accounts could have been affected.
The affected versions of the app relate to;
- WhatsApp for iOS prior to v2.19.51
- WhatsApp for Tizen prior to v2.18.15
- WhatsApp for Android prior to v2.19.134
- WhatsApp Business for iOS prior to v2.19.51
- WhatsApp Business for Android prior to v2.19.44
- WhatsApp for Windows Phone prior to v2.18.348