A critical vulnerability discovered in the WhatsApp messaging app is being exploited to inject commercial spyware onto iOS and Android phones by simply calling the target, according to the Financial Times. The spyware, developed by Israel’s secretive NSO group, can be installed without trace and without the target answering the call, according to security researchers and confirmed by WhatsApp.
Once installed, the spyware can turn on a phone’s camera and mic, scan emails and messages, and collect the user’s location data. WhatsApp is urging its 1.5 billion global users to update the app immediately to close the security hole.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” said WhatsApp in a statement.
The vulnerability discovered in early May, was targeted as recently as Sunday when a UK-based human rights lawyer was attacked by NSO’s flagship Pegasus program, according to researchers at Citizens Lab. The attack was blocked by WhatsApp. WhatsApp is investigating the situation but is so far unable to estimate the number of phones successfully targeted by the exploit, said a source speaking to the FT.
WhatsApp has just pushed out updates to close a vulnerability. We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer. Now is a great time to update your WhatsApp software https://t.co/pJvjFMy2aw https://t.co/e8VQUraZWQ
— Citizen Lab (@citizenlab) May 13, 2019
NSO says it sells Pegasus to governments and law enforcement agencies to help fight terrorism and crime. But that hasn’t stopped the company’s spyware from being used by countries, organizations, and individuals undeterred by human rights concerns. In 2016, NSO spyware was implicated in an attack on Emirati human rights activist named Ahmed Mansoor. In 2018, NSO’s spyware was aimed at prominent TV journalist Carmen Aristegui and 11 others while investigating a scandal involving the Mexican President.
Researchers claim that NSO’s powerful spyware has been used by as many as 45 countries to aid in the persecution of dissidents, journalists, and other innocent civilians.