WhatsApp discovers 'targeted' surveillance attack; urges users to update app

Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp, it has been confirmed.

WhatsApp, which is owned by Facebook, said the attack targeted a “select number” of users and was orchestrated by “an advanced cyber actor.”  The attack is believed to have been carried out by Israeli security firm NSO Group.

In response, WhatsApp, which says it discovered the security breach earlier this month has rolled out a fix on Friday and calls on users of the app to update their app as an added precaution.

How was the security flaw used?
It involved attackers using WhatsApp’s voice calling function to ring a target’s device. Even if the call was not picked up, the surveillance software would be installed. Furthermore, traces of the call would often disappear from the device’s call log.

WhatsApp told the BBC its security team was the first to identify the flaw and shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.

Who has been targeted?
WhatsApp said it was too early to know how many users had been affected by the vulnerability, although it added that suspected attacks were highly-targeted.

In a statement, the group says: “NSO’s technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror.

“The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organisation.”

For more on this story, visit the BBC website.