A Now-Fixed WhatsApp Vulnerability Enabled the Installation of Spyware on Users’ Phones

According to reports, the code was developed by Israeli company NSO Group

WhatsApp provided information on the attack to law enforcement in the U.S.
Getty Images

WhatsApp discovered and fixed a vulnerability in its voice-over-internet-protocol calling feature that enabled a third-party company to install spyware on users’ phones.

The Facebook-owned messaging application identified the vulnerability earlier this month and fixed it within 10 days, making changes to its infrastructure in order to disable this attack from taking place.

WhatsApp would not share a specific total of people potentially affected, only saying it suspects that the number is small due to the complexity involved in deploying it.

A spokesperson said, “WhatsApp encourages people to upgrade to the latest version of our app, as well as to keep their mobile operating system up to date, in order to protect against potential targeted exploits designed to compromise information stored on mobile devices. We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”

WhatsApp said the attack shows signs of coming from a private company that partners with governments on spyware that takes over the OS on mobile phones.

While WhatsApp did not name the company, Financial Times reported that the code came from Israeli company NSO Group.

According to FT, the code was installed on both iPhones and Android smartphones by exploiting the bug in the app’s audio call feature, and the spyware could be installed whether or not the recipient answered the calls, with those calls often disappearing from victims’ call logs.

FT reported that the spyware used in the attack was Pegasus, from NSO Group, which is licensed to governments for the purpose of gaining access to people’s devices during investigations.

In August 2016, internet security firm Lookout and internet watchdog group Citizen Lab said NSO Group software was discovered on the iPhone of Ahmed Mansoor, a human rights activist in the United Arab Emirates.

The company denied wrongdoing last September, and it did so again in a statement this week.

NSO Group said, “The company does not operate the system and, after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.”

WhatsApp expressed concerns with the potential abuses of its platform, saying that it briefed several human rights organizations, filed a CVE (Common Vulnerabilities and Exposures) notice detailing the vulnerability and provided information to law enforcement in the U.S.

WhatsApp is generally perceived as the most secure of the Facebook family of apps, as all communications sent via its platform have been fully end-to-end encrypted since April 2016.