Urgent patches have been issued for Facebook’s messaging service WhatsApp after a significant spyware vulnerability was discovered with “all the hallmarks” of a government surveillance operation.
The vulnerability was recently discovered in WhatsApp allowing attacks to gain access to an iPhone or Android phone and extract all of its data - texts, emails, location data, contacts, and browser history – just by placing a call through the messaging app.
The zero-click vulnerability meant the attackers did not even need the WhatsApp user to answer the call to gain access to their phone, with the log of the call being deleted so they might not even be aware it took place.
The spyware software that was installed on the phones through the WhatsApp breach was allegedly developed by Israeli cyber surveillance firm NSO Group, according to the Financial Times. NSO creates technology that “helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe”, according to the company itself.
Its flagship product, Pegasus, allows attackers to extract the data from a phone and activate its camera and microphone.
WhatsApp said a “select number” of users were impacted by the breach, which was orchestrated by an “advanced cyber-actor”.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” the company said.
“We have briefed a number of human rights organisations to share the information we can and to work with them to notify civil society.”
Financial Times also reported that one target was a lawyer who has been involved in a lawsuit brought against NSO Group by a group of Mexican journalists and a Saudi Arabian dissident.
In a statement, NSO Group denied involvement in the attack.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” NSO said.
“NSO could not, or would not, use its technology in its own right to target any person or organisation, including this individual.”
The vulnerability in WhatsApp was discovered by parent company Facebook earlier this month.
The company alerted US law enforcement last week, and fixed the issue on the server-side on Friday.
The company is also urging all 1.5 billion WhatsApp users around the world to update the app immediately for further safety.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesperson said.
The actual WhatsApp app also did not mention the security vulnerability, instead focusing on users being able to “see stickers in full size when you long press a notification”.
It is currently unknown how many WhatsApp users were impacted by the potential attacks.
It’s not a good start to Facebook’s “new chapter” putting private front and centre of everything the social media giant does.
At its annual tech conference earlier this month, Facebook founder and CEO Mark Zuckerberg said the company had turned over a new leaf on privacy following a series of significant and high-profile privacy incidents, most prominently the Cambridge Analytica scandal which saw the data of more than 80 million users compromised.
“We believe that for the future, people want a privacy-focused social platform,” Zuckerberg said.
“I believe that if we build out a fully encrypted interoperable service...that’s going to be an important contribution to the world. The future is private.”
WhatsApp will play a prominent role in Facebook’s new focus on privacy, with the company regularly touting the security of the app, which employs end-to-end encryption.
Facebook also recently revealed its plans to merge WhatsApp with Facebook Messenger to create a single messaging service. The aim is to make it easier for users to communicate across Facebook, Instagram and WhatsApp, and is expected to be rolled out by the end of the year.