The Financial Times earlier reported that the Israeli cyber intelligence company NSO Group had allegedly found a way to use the messenger platform’s calling mechanism to hack into people’s phones without their consent.
WhatsApp’s spokesman has stated that the company has referred the cyber breach incident, referencing earlier reports of the messenger being used to hack users’ phones, to the US Department of Justice. The company noted that the attack was “pretty sophisticated” and has “all the hallmarks of a private company working with governments on surveillance”.
The spokesman added that the company also notified key European regulators and Ireland’s Data Protection Commission (DPC) about the spyware attack via the WhatsApp platform.
WhatsApp’s spokesman reiterated earlier statements that the company had notified a number of human rights organisations across the world about the attack via its platform. The company noted, however, that only a “select number of users were targeted” in the attack.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices”, spokesman said.
Graham Cluley, an independent computer security expert, commented on the breach, saying that with sophisticated software like WhatsApp or any other messenger, bugs and their use as exploits are inevitable. He stressed that the messenger had become a “prime target” for intelligence agencies and authoritarian governments, as it’s used by a vast number of people for “sensitive communications”.
The cybersecurity expert believes that the WhatsApp exploit was used to deliver the notorious Pegasus spyware, reportedly developed by the Israeli cyber intelligence company NSO Group.
“Pegasus is a powerful tool for stealing information from smartphone users — including sensitive messages, address books, email archive, browser history, GPS location, and even hijacking a device’s camera and microphone”, Cluley said.
Speaking about the NSO Group, the expert noted that despite claims of operating with licensed law enforcement agencies, such companies again and again end up in scandals, as their software is used by “authoritarian regimes on their enemies at home and abroad”.
“NSO Group, and other so-called ‘cyber arms dealers’ operate in a shady grey area between legitimate organisations and those who hack our computers and smart phones”, he said.
According to a previous report by the Financial Times, the new phone spyware infection method was used against a UK-based lawyer, who is involved in efforts by a group of Mexican journalists and government critics to sue Israeli cyber intelligence company NSO Group. The company is accused of providing spyware for secret services, later used against activists, but vehemently denies it. According to the newspaper, NSO Group was also responsible for creating the new spyware used in WhatsApp attacks.
READ MORE: WhatsApp Glitch Allows Users to Go Round Facebook’s New Safety Controls
NSO Group has commented on the report, stating that it only provides its software to government agencies “for the sole purpose of fighting crime and terror” and doesn’t use such software itself.
The vulnerability allowed the attacker to infect the victim’s iPhone or Android device with a spyware by merely calling it via the WhatsApp calling functionality. The victim didn’t even need to pick up the call to become infected. WhatsApp rolled out a fix on its servers on 10 May and a patch for app users on 13 May.