Hackers were able to remotely install surveillance software
on phones and other devices using a major vulnerability in messaging app
WhatsApp.
WhatsApp, which is owned by Facebook, confirms that the
attack targeted a "select number" of users and was orchestrated by
"an advanced cyber-actor". WhatsApp has urged all of its 1.5 billion
users to update their apps as an added precaution.
The surveillance software involved was developed by Israeli
firm NSO Group, according to a report in the Financial Times. Facebook first
discovered the flaw in WhatsApp earlier in May.
However, the surveillance software would have let an
attacker read the messages on the target's device. Some users of the app have questioned why the
app store notes associated with the latest update are not explicit about the
fix.
How was the security flaw used?
It involved attackers using WhatsApp's voice calling
function to ring a target's device. Even if the call was not picked up, the
surveillance software could be installed. According to the FT report, the call
would often disappear from the device's call log.
WhatsApp told the BBC its security team was the first to
identify the flaw. It shared that information with human rights groups,
selected security vendors and the US Department of Justice earlier this month.
"The attack has all the hallmarks of a private company
reportedly that works with governments to deliver spyware that takes over the
functions of mobile phone operating systems,” the company said on Monday in a
briefing document note for journalists.
