Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp, it has been confirmed.
WhatsApp, which is owned by Facebook, said the attack targeted a “select number” of users and was orchestrated by “an advanced cyber-actor”.
A fix was rolled out last week Friday.
On Monday, WhatsApp urged all of its 1.5 billion users to update their apps as an added precaution.
The surveillance software involved was developed by Israeli firm NSO Group, according to a report in the Financial Times.
Facebook first discovered the flaw in WhatsApp earlier in May.
WhatsApp promotes itself as a “secure” communications app because messages are end-to-end encrypted, meaning they should only be displayed in a legible form on the sender or recipient’s device.
However, the surveillance software would have let an attacker read the messages on the target’s device.
Some users of the app have questioned why the app store notes associated with the latest update are not explicit about the fix.
How was the security flaw used?
It involved attackers using WhatsApp’s voice calling function to ring a target’s device.
Even if the call was not picked up, the surveillance software could be installed. According to the FT report, the call would often disappear from the device’s call log.
Who is behind the software?
The NSO Group is an Israeli company that has been referred to in the past as a “cyber-arms dealer”.
While some cyber-security companies report the flaws they find so that they can be fixed, others keep problems to themselves so they can be exploited or sold to law enforcement.
The NSO Group is part-owned by the London-based private equity firm Novalpina Capital, which acquired a stake in February.
NSO’s flagship software, Pegasus, has the ability to collect intimate data from a target device, including capturing data through the microphone and camera and gathering location data.
Who has been targeted?
WhatsApp said it was too early to know how many users had been affected by the vulnerability, although it added that suspected attacks were highly-targeted.
According to the New York Times, one of the people targeted was a London-based lawyer involved in a lawsuit against the NSO Group.
Amnesty International, which said it had been targeted by tools created by the NSO Group in the past, said this attack was one human rights groups had long feared was possible.
“They’re able to infect your phone without you actually taking an action,” said Danna Ingleton, deputy programme director for Amnesty Tech. She said there was mounting evidence that the tools were being used by regimes to keep prominent activists and journalists under surveillance.
“There needs to be some accountability for this, it can’t just continue to be a wild west, secretive industry.”
On Tuesday, a Tel Aviv court will hear a petition led by Amnesty International that calls for Israel’s Ministry of Defence to revoke the NSO Group’s licence to export its products.
Let’s take you to a magical world of games. Visit MTN Game + for an amazing gaming experience!!!