Spyware crafted by an “advanced cyber actor” infected multiple targeted mobile phones through the WhatsApp messaging service without any user intervention through in-app voice calls.
The malware was able to penetrate phones through missed calls alone via the application’s voice calling function, a spokesperson for the Facebook subsidiary said on Monday.
An unknown number of mobile phones were infected by the malware, which the company said it discovered in early May, according to the spokesperson.
The Financial Times identified the “actor” as Israel-based NSO Group, which makes products for Middle Eastern and Western intelligence agencies. A WhatsApp spokesperson later said, “We’re certainly not refuting any of the coverage you’ve seen.”
The spokesperson did not mention NSO in a statement on the flaw but said the attack had “all the hallmarks of a private company that has been known to work with governments to deliver spyware that has the ability to take over mobile phone operating systems”.
WhatsApp, which has more than 1.5 billion users, said it contacted Citizen Lab and human rights groups, quickly fixed the issue and pushed out a patch.
The flaw was discovered while “our team was putting some additional security enhancements to our voice calls” and engineers found that people targeted “might get one or two calls from a number that is not familiar to them. In the process of calling, this code gets shipped”.
WhatsApp urged its users to upgrade to the latest version of its application and keep mobile operating systems up to date “to protect againt potential targeted exploits”.
The attack targeted iPhones, as well as phones with Google’s Android system, Microsoft Windows phones and Samsung’s Tizen system.
John Scott-Railton, a researcher with the internet watchdog Citizen Lab, called the hack “a very scary vulnerability”.
”There’s nothing a user could have done here, short of not having the app,” he told the Associated Press news agency.
Spokespeople for NSO Group did not immediately respond to an email from the AP seeking comment.
NSO says its products enable government intelligence and law enforcement agencies to investigate and prevent terrorism and crime.
The revelation adds to the questions over the reach of the Israeli company’s powerful spyware, which can hijack mobile phones, control their cameras and effectively turn them into pocket-sized surveillance devices.
NSO’s spyware has repeatedly been found deployed to hack journalists, lawyers, human rights defenders and dissidents.
According to a New York Times report last year, the United Arab Emirates had asked NSO to hack into the phones of the Qatari emir and a Saudi prince among other political and regional rivals.
The spyware was also implicated in the gruesome killing of journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul last year. His body could not be found.
Several alleged targets of the spyware, including a close friend of Khashoggi and several Mexican civil society figures, are currently suing NSO in an Israeli court over the hacking.