A vulnerability in the world’s popular messaging app WhatsApp has allowed attackers to insert commercial Israeli spyware on to phones, the company and a spyware technology dealer said.
The vulnerability (documented here) was discovered by the Facebook-owned WhatsApp in early May. It apparently leveraged a bug in the audio call feature of the app to allow the caller to allow the installation of spyware on the device being called, whether the call was answered or not.
Whatsapp said the attack has the hallmarks of a private company that reportedly works with governments to deliver spyware that takes over the functions of mobile phone operating systems.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a WhatsApp spokesperson said in a statement.
So what about NSO Group? Is this attack their work as well? The company told the Financial Times, which first reported the attack, that it was investigating the issue. But it noted that it is careful not to involve itself with the actual applications of its software — it vets its customers and investigates abuse, it said, but it has nothing to do with how its code is used or against whom.