Company spokesman says the attack had "all the hallmarks of a private company that has been known to work with governments to deliver spyware that has the ability to take over mobile phone operating systems."
Facebook's WhatsApp said on Tuesday a security breach on its messaging app had signs of coming from a private company working on surveillance and it had referred the incident to the US Department of Justice.
WhatsApp, one of the most popular messaging tools, is used by 1.5 billion people monthly and it has touted its high level of security and privacy, with messages on its platform being encrypted end to end so that WhatsApp and third parties cannot read or listen to them.
A WhatsApp spokesman said the attack had "all the hallmarks of a private company that has been known to work with governments to deliver spyware that has the ability to take over mobile phone operating systems."
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," a spokesman said.
TRT World's Mobin Nasir reports.
Measures to protect users
"We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users," he said.
The spokesman said WhatsApp immediately contacted Citizen Lab and human rights groups, quickly fixed the issue and pushed out a patch. He said WhatsApp also provided information to US law enforcement officials to assist in their investigation.
He said the flaw was discovered while "our team was putting some additional security enhancements to our voice calls." Engineers found that people targeted for infection "might get one or two calls from a number that is not familiar to them. In the process of calling, this code gets shipped," the spokesman said.
"We are deeply concerned about the abuse of such capabilities," WhatsApp said in a statement. WhatsApp did not elaborate further.
'Serious security vulnerability'
WhatsApp informed its lead regulator in the European Union, Ireland's Data Protection Commission (DPC), of a "serious security vulnerability" on its platform.
"The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorised software and gain access to personal data on devices which have WhatsApp installed," the regulator said in a statement.
"WhatsApp are still investigating as to whether any WhatsApp EU user data has been affected as a result of this incident," the DPC said, adding that WhatsApp informed it of the incident late on Monday.
Vast majority not affected - experts
WhatsApp said it believes only "a select number of users were targeted."
Cybersecurity experts said the vast majority of users were unlikely to have been affected.
Scott Storey, a senior lecturer in cybersecurity at Sheffield Hallam University, believes most WhatsApp users were not affected since this appears to be governments targeting specific people, mainly human rights campaigners.
"For the average end user, it's not something to really worry about," he said, adding that WhatsApp found the vulnerability and quickly fixed it. "This isn't someone trying to steal private messages or personal details."
Storey said that disclosing vulnerabilities is a good thing and likely would lead to other services looking at their security.
Earlier, the Financial Times reported that a vulnerability in WhatsApp allowed attackers to inject spyware on phones by ringing up targets using the app's phone call function.
It said the spyware was developed by Israeli cybersurveillance company NSO Group — best known for its mobile surveillance tools — and affects both Android and iPhones. The FT said WhatsApp could not yet give an estimate of how many phones were targeted.
The FT reported that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability and it began rolling out a fix to its servers on Friday last week and issued a patch for customers on Monday.
Asked about the report, NSO said its technology is licensed to authorised government agencies "for the sole purpose of fighting crime and terror," and that it does not operate the system itself while having a rigorous licensing and vetting process.
"We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies," the company said.
Israel-based security firm
Spokespeople for NSO Group did not immediately respond to an email seeking comment.
The revelation adds to the questions over the reach of the Israeli company's powerful spyware, which can hijack smartphones, control their cameras and effectively turn them into pocket-sized surveillance devices.
NSO's spyware has repeatedly been found deployed to hack journalists, lawyers, human rights defenders and dissidents.
Most notably, the spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul last year and whose body has never been found.
Several alleged targets of the spyware, including a close friend of Khashoggi and several Mexican civil society figures, are currently suing NSO in an Israeli court over the hacking.
On Monday, Amnesty International — which said last year that one its staffers was also targeted with the spyware — said it would join in a legal bid to force Israel's Ministry of Defence to suspend NSO's export licence.
That makes the discovery of the vulnerability particularly disturbing because one of the targets was a UK-based human rights lawyer, the attorney said.
The lawyer, who spoke on condition of anonymity for professional reasons, said he received several suspicious missed calls over the past few months, the most recent one on Sunday, only hours before WhatsApp issued the update to users fixing the flaw.
Shares in market
Social media giant Facebook bought WhatsApp in 2014 for $19 billion.
Facebook co-founder Chris Hughes last week wrote in The New York Times that fellow co-founder Mark Zuckerberg had far too much influence by controlling Facebook, Instagram and WhatsApp, three core communications platforms, and called for the company to be broken up.
Facebook's shares were up 0.8 percent at $183.02 in pre-market trading.