WhatsApp, which is owned by Facebook, said the attack targeted a “select number” of users, and was orchestrated by “an advanced cyber actor”.
Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp, it has been confirmed. On Monday WhatsApp urged all of its 1.5bn users to update their apps as an added precaution.
The attack was developed by Israeli security firm NSO Group, according to a report in the Financial Times. It was first discovered earlier this month.
Attackers using WhatsApp’s voice calling function would ring a target’s device. Even if the call was not picked up, the surveillance software would be installed, and, according to Financial Times, the call would often disappear from the device’s call log.
WhatsApp said its security team was the first to identify the exploit, and shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” the company said on Monday in a briefing document note for journalists.
NSO Group is best known for its reported, but not confirmed, role in assisting the FBI in opening the phone of the San Bernardino mass shooter after Apple fought an FBI request to do so. NSO Group declined to comment.
The claims raise serious problems for WhatsApp’s reputation, which has been built on the privacy and security of the end-to-end encryption.
Why does it matter?
End-to-end encryption means data sent via WhatsApp, and generally any other application claiming to offer end-to-end encryption, is scrambled in transit, and only understandable by the party sending it and the party receiving it — whether the data is in the form of texts, pictures or voice conversations. It’s a major selling point for the applications of that sort.
WhatsApp’s security in transit has made it a popular choice for people wishing to communicate “out of band” — off regular, unencrypted or corporate communications channels — about all manner of personal information, including everything from legal and business matters to personal or political problems.
The investigation is in its early stages, but WhatsApp will have to put up a lion fight to maintain its reputation among security-minded customers who are worried their data could be compromised, not only by the Israeli company, but by any other individual.