Spyware developed by an “advanced cyber actor” infected multiple targeted mobile devices through the popular WhatsApp communications program without any user intervention through in-app voice calls. The issue has already been fixed, WhatsApp adds, and urges users to update their apps to avoid being targetted by the security snafu.
The Financial Times identified the actor as Israel’s NSO Group, and a WhatsApp spokesman later said “we’re certainly not refuting any of the coverage you’ve seen.” WhatsApp says it fixed the security hole through a server-side fix on the 10th of May, and released patched Android and iOS apps on Monday. Users are urged to update their apps.
The malware was able to penetrate phones through missed calls alone via the app’s voice calling function, the spokesman for the Facebook subsidiary said late Monday. An unknown number of people — an amount in the dozens at least would not be inaccurate — were infected with the malware, which the company said it discovered in early May, said the spokesman, who was not authorized to be quoted by name.
The revelation adds to the questions over the reach of the Israeli company’s powerful spyware, which can hijack smartphones, control their cameras and effectively turn them into pocket-sized surveillance devices.
NSO’s spyware has repeatedly been found deployed to hack journalists, lawyers, human rights defenders and dissidents.