A system flaw in the calling function of WhatsApp
let attackers install an Israeli software that allowed them access to mobile devices of the users, Financial Times reported on Tuesday.
The malicious software, or spyware, was developed by the “secretive Israeli company NSO Group”, said the financial daily. The software installed itself in a user's mobile phone by calling the target through WhatsApp.
The spyware gained access to a person's phone even if the attacker's WhatsApp
call wasn't answered.
The calls also often disappeared from call logs, and affected Android, iPhone and Tizen-based phones.
“We believe a select number of users were targeted through this vulnerability by an advanced cyber actor. The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” WhatsApp said in an e-mail response.
It is working with US law enforcement to help them conduct an investigation. “These are highly sophisticated attacks. We are early in our investigation and we don’t have numbers to share though this is a relatively small amount of people,” WhatsApp added in its response.
The NSO Group has been at the centre of a controversy surrounding the use of its Pegasus software for spying on journalists, human rights activists and other persons of interest to governments. “NSO Group claims it helps governments fight terrorism and crime, but it has failed to rebut mounting evidence linking its products to attacks on human rights defenders... NSO Group has repeatedly denied, but not credibly addressed, the accounts that its Pegasus spyware platform has been misused to target human rights defenders,” human rights NGO Amnesty International said in a post on its website on Monday.
Amnesty is part of a legal action initiated in Israel against the Israeli Ministry of Defence, demanding that it revoke the export license of NSO Group, whose products have allegedly been used to spy on people.
The Pegasus software enables near-complete control over a person's phone, and can enable access to its location, e-mail, passwords, call records, microphone and camera even when they are not seemingly “on”, and also activities on common apps on the phones.
WhatsApp said it identified and “promptly fixed” the vulnerability, and late last week, made changes to its infrastructure to deny the ability for this attack to take place.
“WhatsApp encourages people to upgrade to the latest version, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a WhatsApp spokesperson stated in an e-mail.
We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users," a WhatsApp spokesperson stated in an e-mail.
India is one of Facebook-owned WhatsApp’s largest markets, with over 200 million users, and has been on the government's scanner leading up to the ongoing general election.
“We have also provided information to US law enforcement to help them conduct an investigation. These are highly sophisticated attacks. We are early in our investigation and we don’t have numbers to share though this is a relatively small amount of people,” WhatsApp added in its response.