WhatsApp uncovered a security flaw which allowed hackers to install and use spyware software on phones, the company has confirmed to Euronews.
It identified and fixed the security flaw but said that some users were targeted.
WhatsApp, an encrypted messaging programme owned by Facebook, began rolling out an upgrade for its estimated 1.5 billion users on Friday.
The flaw allowed attackers to install commercial Israeli surveillance spyware on phones through the messaging app’s phone call function, according to a report in the Financial Times (FT).
How did the attack work?
A WhatsApp spokesperson told Euronews that this type of attack “would be highly selective in nature and would be available to only advanced and highly motivated actors”.
The “advanced actor” in this case used code developed by Israeli company NSO Group, according to FT.
The spyware manufacturer is known to sell surveillance software to countries such as Saudi Arabia.
By calling a targeted user through the app, hackers could install the Israeli software onto both iPhones and Androids even if the user did not answer the call, the FT report said.
The spyware company’s flagship spyware program “Pegasus” can take control of a phone camera and microphone, track movement and record calls.
An NSO spokesperson told Euronews that the company licenses software to “government agencies for the sole purpose of fighting crime and terror,” but that “intelligence and law enforcement determine how to use the technology to support their public safety missions.”
Who was targeted?
A UK-based human rights lawyer’s phone was targeted as late as Sunday, according to the FT report.
In a statement to Euronews, the Israeli spyware company said “NSO would not or could not use its technology in its own right to target any person or organization, including this individual,” presumably referring to the lawyer targeted.
Amnesty International said that the company’s “Pegasus” software has been used to target at least 24 human rights defenders, journalists and parliamentarians in Mexico, an Amnesty employee, and Saudi and Emirati activists.
The software reportedly helped Saudi Arabia to spy on journalist Jamal Khashoggi, who was killed in the Saudi consulate in Istanbul in 2018.
The human rights organisation will file a petition on Tuesday at the District Court of Tel Aviv to attempt to stop NSO Group from exporting its products.
Between August 2016 and August 2018, the University of Toronto’s “Citizen Lab” tracked the NSO software to 45 countries out of which “at least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.”
What can you do to protect yourself?
WhatsApp issued a security fix and cybersecurity notice on Monday for users and security professionals.
Users should upgrade the app to get the security fix by checking updates in their phone’s application store.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a WhatsApp spokesperson wrote in an email Euronews.
App Versions Affected: WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.