Yikes, WhatsApp exploit allowed spyware to be installed with a phone call

WhatsApp has closed a vulnerability which allowed spyware to be installed via voice call.

Image: Fabian Sommer/picture alliance via Getty Image

A WhatsApp vulnerability allowed attackers to remotely install spyware onto phones — by simply calling them.

First reported by the Financial Times and confirmed by WhatsApp, the issue was discovered in early May and was promptly fixed by the company.

The Facebook-owned messaging service said it believed certain users were targeted through the vulnerability by an advanced cyber actor. 

As noted by the Financial Times, the spyware was developed by the Israeli cyber intelligence firm NSO Group. The malicious code could be inserted via a voice call, even if the recipient didn’t answer their phone, and the call would disappear from logs.

In a statement, WhatsApp did not name the NSO Group, but said the attack was representative of a private company which works with governments to create spyware for mobile devices.  

The messaging company said it has briefed human rights organisations on the finding, and notified U.S. law enforcement to help them conduct an investigation. 

WhatsApp said it made changes to its infrastructure last week to prevent the attack from happening, and issued an update for its app.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a WhatsApp spokesperson said in a statement. 

“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”

The NSO Group is behind a spyware product called Pegasus, which allows operators to take control of a target’s phone, allowing them to switch on a phone’s camera and a microphone, as well as retrieve private data.

A spokesperson for NSO told Mashable it was investigating the WhatsApp issue.

“NSO’s technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system,” the statement read.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” it continued. “NSO would not or could not use its technology in its own right to target any person or organization.”

Human rights organisation Amnesty International is behind legal action to revoke the NSO Group’s export licence in Israel, after an Amnesty staff member was targeted last August by Pegasus.

“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” Danna Ingleton, deputy director of Amnesty Tech, said in a statement.

Uploads%252fvideo uploaders%252fdistribution thumb%252fimage%252f91256%252fba5b0a7d 69f7 4cd9 92b7 b3dbdc2984c7.jpg%252foriginal.jpg?signature=9 pzooigxbywhatptvdsisdaloa=&source=https%3a%2f%2fblueprint api production.s3.amazonaws