Updated 10:08 EST - We've posted instructions on how to update WhatsApp for Android and iOS.
A serious WhatsApp loophole has allowed the installation of spyware on iOS and Android devices via a phone call, with a few cases of highly invasive software being successfully injected already confirmed.
WhatsApp, which has 1.5 billion users, learned of the vulnerability earlier in May, and informed the US Department of Justice during the week beginning May 6. After working to fix the problem on its own servers, it then released an update for users on May 13 which fixes the issue on the client side.
The code, according to a source speaking to the Financial Times, was developed by NSO Group, a company based in Israel. It worked by calling the target phone via WhatsApp. Whether or not the user of that phone answered, the software would be injected.
NSO Group develops spyware for use by Middle Eastern and western governments, with its main product, Pegasus, being capable of turning on a phone’s camera and microphone, reading emails and messages, and sending location data.
Speaking to the Financial Times, NSO Group said it was not “involved in the operating or identifying of targets of its technology”.
“NSO would not, or could not, use its technology in its own right to target any person or organization,” it continued, going on to refer to a specific case in which a human rights lawyer based in the UK was targeted by the exploit in question.
This anonymous lawyer has represented clients from Mexico and Saudi Arabia who have sued NSO Group. The cases of these journalists and anti-government critics argue that NSO should take responsibility for the actions of the clients to whom it sells its technology.
Facebook, owner of WhatsApp, has published a brief summary of the problem on its security pages, and which versions of the app are susceptible to it. While it has begun an investigation into the vulnerability, WhatsApp has yet to estimate how many people were affected or targeted.
In a statement on the matter, WhatsApp did not mention NSO Group, but did state that “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.”
While it appears that this spyware was only targeted at limited numbers of specific individuals, it’s still worth making sure your app is secure by checking if your device has the most recent version of WhatsApp downloaded.