WhatsApp is scrambling to determine the impact of a now-patched vulnerability in its iPhone and Android apps that allowed hackers to inject spyware into users’ devices. The security hole is at the center of at least one known recent hacking attempt against a lawyer representing a group suing the surveillance software vendor that made the spyware.
The Facebook-owned messaging service said in a statement that it distributed a server-side fix on Friday and an app update to users on Monday. The message goes on to say:
This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.
A source has told the Financial Times that the company alerted the Department of Justice last week.
Spyware users were able to inject malicious code into their target device by initiating a voice call to the corresponding WhatsApp account. It doesn’t matter if the call gets picked up or not. NSO Group, the Israeli company that made the spyware in question, was briefed on the exploit and is investigating. It has said that these calls usually disappear from the call logs.
NSO sells surveillance software to governments to “prevent and investigate terrorism and crime,” though digital privacy and human rights activists have called the company an enabler of repressive regimes to crack down on journalists, whistleblowers, and dissidents. Its primary product, Pegasus, is able to turn on and collect data from a phone’s microphone and cameras, and also can extract location logs, emails, and messages.
Mexican nationals and a Saudi exile are suing NSO, claiming that it is complicit in its clients’ abuse of its software. Researchers at the University of Toronto’s Citizen Lab have told the Times a lawyer representing the plaintiffs was targeted with Pegasus through the WhatsApp vulnerability on Sunday. One researcher believes that the weekend patch may have prevented the attack from going through.
NSO sent a statement in response to questions about this attack. It reads in part:
Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual.
A separate case involving a Pegasus attempt through WhatsApp against an Amnesty International researcher in Israel — however, the spyware was not distributed through the calling vulnerability. Citizens and civil rights groups are petitioning the Israeli Ministry of Defense to revoke NSO’s export license. The agency decided against doing so after Amnesty International laid out its claims.
It is not immediately clear if the calling flaw could be exploited to shuttle in other malicious code or if it relied on factors introduced by NSO or their clients. A Times source said that WhatsApp has yet to determine how many users could have been affected.