SAN FRANCISCO – A vulnerability in WhatsApp allowed hackers to install spyware on some targeted phones and access data from those devices, the popular messaging app said on Monday.
The chink in the encrypted messaging service has been fixed now, but an unknown number of users have been affected, according to the app owned by Facebook.
“Earlier this month, WhatsApp identified and immediately fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices,” WhatsApp confirmed in a press release.
The loophole in the messaging app was first published exclusively by the Financial Times.
The messaging app urged all its 1.5 billion users worldwide to update the application to its latest version as a precaution and “keep their mobile OS updated, to receive the latest security protections.”
The spyware was capable of infecting phones with Apple (iOS) or Google (Android) operating system.
WhatsApp, which was acquired by Facebook in 2014, said that, so far, it cannot specify how many people were affected.
“A select number of users were targeted through this vulnerability” and thus would not imply a large scale attack, it said.
The spyware that was remotely installed on the targeted phones resembles the technology developed by the Israeli cybersecurity company NSO Group, which has led WhatsApp to look at it as the main suspect behind the breach.
The vulnerability in the system, which the company fixed with a software patch on Monday, was detected only a few days ago. It is, however, unknown how long the spying activities had gone on for.
The hackers made calls through WhatsApp to the phone whose data they wanted to access and even if the person did not respond to the call, a spyware could be installed on these devices.
In many cases, the call disappeared from the log of the device, and so if the person had not seen the incoming call at the time they would not suspect anything.
WhatsApp also reported that “we have briefed a number of human rights organizations (that were among the victims of the hack) to share the information” with cybersecurity companies and as well as with the US Department of Justice.
That some of the organizations affected were human rights platforms, reinforced the hypothesis of the involvement of NSO Group, since its software has been used in the past to carry out attacks against such entities.
NSO Group, which operates in an opaque manner and has been shrouded in secrecy for years, designs spyware for its customers, including governments around the world, who use it to access mobile devices for surveillance.