WhatsApp has urged users to update their messaging app after concerns were raised that hackers could inject spy software on to phones via the call function.
The Facebook-owned company said the spyware was spread by an “advanced cyber actor”, and infected multiple mobile phones using a major vulnerability in the app.
The spyware, developed by the secretive Israeli spyware company NSO Group, has the ability to give hackers full access to a phone remotely, allowing them to read messages, see contacts and activate the camera.
WhatsApp confirmed that a “select number” of users had been victims and that the bug and that the bug affects all but the latest version of the app on iOS and Android.
On Tuesday, WhatsApp said it had referred the incident to the US Department of Justice. It has also informed Ireland’s Data Protection Commission, its main regulator in the European Union, of a “serious security vulnerability” on its platform.
The attack involved cyber hackers using WhatsApp’s voice calling function to ring a device. The surveillance software would then be installed, even if that call was not picked up.
The National Cyber Security Centre, the cyber arm of GCHQ, warned WhatsApp users about the vulnerability and urged them to update their apps. “It’s important to apply these updates quickly, to make it as hard as possible for attackers to get in,” the spy agency said.
The Financial Times on Monday evening reported that cyber hackers had been using the loophole up until Sunday evening, when it was used to target a UK-based human rights lawyer.
A spokesman for NSO, which is believed to sell its spyware to intelligence agencies and nation states, said that it was investigating the issue. The spokesman said NSO “would not, or could not” use its own technology to target “any person or organisation”, including the UK lawyer.
The vulnerability was also used to target a researcher at Amnesty International, which is fighting for the NSO Group to have its export license withdrawn by Israeli government.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said.
It also said that it had carefully vetted customers and investigated any abuse. The company has previously been accused of selling software used to spy on the phone of the murdered Saudi Arabian journalist Jamal Khashoggi.
John Scott-Railton, a researcher with the internet watchdog Citizen Lab, called the hack “a very scary vulnerability.”
“There’s nothing a user could have done here, short of not having the app,” he said.
WhatsApp, which has more than 1.5 billion users, immediately contacted Citizen Lab and human rights groups, fixed the issue and pushed out a patch. WhatsApp also provided information to US law enforcement officials to assist in their investigation.
A WhatsApp spokesman said the flaw was discovered while “our team was putting some additional security enhancements to our voice calls” and that engineers found that people targeted for infection “might get one or two calls from a number that is not familiar to them. In the process of calling, this code gets shipped”.
“We are deeply concerned about the abuse of such capabilities,” WhatsApp said in a statement.
The revelation adds to the questions over the reach of the Israeli company’s powerful spyware, which can hijack smartphones, control their cameras and effectively turn them into pocket-sized surveillance devices.
“NSO Group has been bragging that it has no-click install capabilities for quite some time,” said Eva Galperin, director of cyber security at the Electronic Frontier Foundation.
Amnesty International said last year it believed it had been targeted by spyware developed by NSO in Saudi Arabia. In June 2018, the human rights organisation said a staff member was targeted over WhatsApp in an attempt to remotely install NSO’s Pegasus surveillance tool.
“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” said Danna Ingleton, deputy director of Amnesty Tech.
Last week Facebook announced it would be end-to-end encrypting its Messenger app, in a new focus on “privacy first” after years of privacy and security mishaps.
The company previously announced plans to merge WhatsApp, Facebook and Instagram’s software architecture, raising the question as to whether an insecurity in one platform will lead to holes across all three products.
Source: the telegraph