A vulnerability in the world’s popular messaging
app WhatsApp has allowed attackers to insert commercial Israeli spyware on to
phones, the company and a spyware technology dealer said.
The vulnerability (documented
here) was discovered by the Facebook-owned WhatsApp in early May. It
apparently leveraged a bug in the audio call feature of the app to allow the
caller to allow the installation of spyware on the device being called, whether
the call was answered or not.
Whatsapp said the attack has the hallmarks of
a private company that reportedly works with governments to deliver spyware
that takes over the functions of mobile phone operating systems.
“WhatsApp encourages people to upgrade to
the latest version of our app, as well as keep their mobile operating system up
to date, to protect against potential targeted exploits designed to compromise
information stored on mobile devices,” a WhatsApp spokesperson said in a
statement.
So what about NSO Group? Is this attack their
work as well? The company told the Financial Times, which first reported the
attack, that it was investigating the issue. But it noted that it is careful
not to involve itself with the actual applications of its software — it vets
its customers and investigates abuse, it said, but it has nothing to do with
how its code is used or against whom.
