WhatsApp pressed users to update its messaging service, following a report that a vulnerability in the software allowed attackers to hack into people’s phones using commercial Israeli spyware.
The chat app, owned by Facebook Inc., said it had discovered a vulnerability in early May that could enable attackers to insert and execute code on mobile devices.
WhatsApp said it made changes to its infrastructure late last week to block the attacks from taking place, adding that only a select number of users appeared to have been targeted through the vulnerability by an advanced cyber actor.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokeswoman for the company said Tuesday.
The statement follows a report by the Financial Times that attackers were able to install surveillance software, developed by Israeli company NSO Group, on iPhones and Android devices by calling targets using the app’s phone call function.
WhatsApp said the attack has the hallmarks of a private company that works with governments to deliver spyware, which takes over control of mobile phone operating systems.
In a statement, NSO Group said its technology “is licensed to authorized government agencies for the sole purpose of fighting crime and terror.” It added that it doesn’t operate the system itself and “under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”
WhatsApp said it has notified European data privacy regulators of the breach and has also provided U.S. law enforcement information to conduct an investigation. It also said it had briefed human rights organizations to work with them to notify civil society.
Ireland’s Data Protection Commission said WhatsApp notified the regulator on Monday of a “serious security vulnerability” and that it is actively engaging with the company to check if any EU user data has been compromised.
(Updates with comment from Irish Data Protection Commission.)
–With assistance from Kaye Wiggins.