WhatsApp flaw let attackers install spyware with a phone call

A feature of the messaging app was used to secretly install malicious code, the Financial Times reports.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

A vulnerability in messaging app WhatsApp allowed attackers to install spyware onto phones, the Financial Times reported Monday.

The malicious code, developed by Israeli company NSO Group, was installed on both iPhones and Android phones through the app's phone call feature, the newspaper reported. The spyware could be transmitted even if the target victim didn't answer their phone, and the calls often disappeared from users' call logs.

Facebook-owned  WhatsApp  said the attack has the hallmarks of a private company that reportedly works with governments to deliver spyware that takes over the functions of mobile phone operating systems.

Watch this: WhatsApp update fights malware that infects devices with just a call

"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," a WhatsApp spokesperson said in a statement.

In 2016, NSO Group was accused of providing spyware to nation-states to steal data from activists' iPhones. The company has said it obeys applicable laws.

NSO said Monday that its technology is licensed to governments to fight crime and terror.

"The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions," NSO said in a statement. "We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.

"Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies," NSO said, adding that it would never use its own technology to target an individual or organizaton.

WhatsApp, which has about 1.5 billion users, reportedly doesn't know how many phones may have been infected with the spyware.

Engineers at the company were working to close the vulnerability Sunday night and issued a patch for customers on Monday, the Financial Times reported. 

WhatsApp said it informed the US Justice Department of the vulnerability last week.

The Justice Department didn't immediately respond to requests for comment.

Originally published at 4:45 p.m. PT
Update at 6:55 p.m.: Added NSO comment.