A huge flaw in Whatsapp enabled hackers to spy on some of its 1.5bn users’ devices, the tech giant has confirmed.
The Facebook-owned company yesterday urged its 1.5bn users to update their apps to download a patch it released last Friday for the bug.
It admitted yesterday that a “select number” of users were targeted by “an advanced cyber actor”.
The spyware was developed by Israeli cyber intelligence firm NSO Group, the Financial Times reported.
Hackers were able to place a call to a target Whatsapp user, which would transmit the malicious code regardless of whether the user answered the call or not.
Evidence of the call was often then erased, the FT reported.
Whatsapp said it discovered the bug earlier this month and acted quickly to safeguard its own infrastructure.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” WhatsApp said in a statement. “We have briefed a number of human rights organizations to share the information we can and to work with them to notify civil society.”
It has informed US law enforcement of the hack and has also published an advisory to other cybersecurity experts about the bug.
In the advisory, it described it as a “buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number”.
The bug affects Whatsapp for Android versions before v2.19.134 and iOS versions of the app before v2.19.51.
It was reportedly used against a UK-based attorney just two days ago who is involved in a lawsuit against NSO Group by Mexican journalists, government critics and a dissident from Saudi Arabia.
NSO Group told the FT it was investigating the attacks.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” NSO Group told the FT. “NSO would not, or could not, use its technology in its own right to target any person or organization, including this individual.”