Spyware made by an”advanced cyber celebrity” infected multiple targeted mobile phones through the popular WhatsApp communications program with no user intervention through in-app voice calls, the business said. The problem has already been repaired, WhatsApp adds, and urges users to update their apps to avoid being targetted by the security snafu.
The Financial Times identified the celebrity as Israel’s NSO Group, and a WhatsApp spokesman later said”we’re certainly not refuting some of the coverage you have seen.” WhatsApp says it fixed the security gap through a server-side fix on May 10, and published patched Android and iOS apps on Monday. Users are encouraged to upgrade their apps.
The malware managed to intercept telephones through missed calls via the program’s voice calling purpose, the spokesman for its Facebook subsidiary said late Monday. An unknown number of individuals — an amount in the dozens at least would not be incorrect — were infected with the malware, which the company said it discovered in early May, said the spokesman, that wasn’t authorized to be quoted by name.
John Scott-Railton, a researcher using the internet watchdog Citizen Lab, called the hack”a very scary vulnerability.”” There is nothing that a user could have achieved here, short of not needing the program,” he explained.
The WhatsApp spokesman said that the attack had”all the hallmarks of a private company that’s been proven to work with authorities to deliver spyware which has the capability to carry over mobile phone operating systems.”
The spokesman said WhatsApp, which has more than 1.5 billion users, immediately contacted Citizen Lab and human rights groups, quickly fixed the issue and pushed a patch out. He explained WhatsApp also provided advice to US law enforcement officers to help in their investigation.
He said the defect was discovered while”our team was putting a few extra security enhancements to our voice calls” and engineers discovered that individuals targeted for infection”might get one or two calls from a number that’s not familiar to them. From the process of phoning, this code becomes shipped.”
“We’re deeply concerned about the misuse of such capabilities,” WhatsApp said in a statement.
Spokespeople for NSO Group didn’t immediately respond to an email from The Associated Press seeking comment.
The revelation increases the questions within the range of the Israeli company’s powerful spyware, which may hijack smartphones, command their cameras and effectively turn them into pocket-sized surveillance devices.
Most notably, the spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered from the Saudi consulate in Istanbul last year and whose body has never been discovered.
Several alleged targets of this railroad, including a close friend of Khashoggi and many Mexican civil society statistics, are now suing NSO within an Israeli court over the hacking.
That creates the discovery of the vulnerability particularly disturbing because among the targets was a human rights lawyer, the attorney told the AP.
The attorney, who spoke on condition of anonymity for professional reasons, said he received about several suspicious missed calls over the last few months, the latest on Sunday, just hours until WhatsApp issued the update to users repairing the defect.