WhatsApp was hacked and attackers installed sophisticated spyware on an unknown number of people’s smartphones.
The Facebook subsidiary, which has 1.5 billion users, said an advanced cyber actor infected an unknown number of people’s devices with the malware, which it said it discovered in early May.
The Financial Times first reported the vulnerability. It said the bad actors were able to install the surveillance technology by phoning the target through WhatsApp’s call functionality, giving them access to information including location data and private messages.
The hackers were able to exploit a vulnerability by calling the target via WhatsApp. Even if they didn’t pick up, the malware was able to infect the target.
The FT reported that the spyware was developed by Israel’s NSO Group, whose Pegasus software is known to have been used against human rights activists. The firm denied any involvement in a statement to the FT.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp said in a statement to the FT.
“We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
In a statement sent to Business Insider, a spokesman added: “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices. We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”
A notice on Facebook said the issue impacted both Android, iPhones, and Windows phones. An update was released on Monday that should resolve the issue and users are being urged to update, regardless of whether they have had any suspicious call activity.
Citing a source, the FT reported that the US Department of Justice was notified about the hack last month.