WhatsApp has asked users to update its messaging service app, following a report that a vulnerability in the software allowed attackers to hack into people’s phones using commercial Israeli spyware.
The app, owned by Facebook, said it had discovered a vulnerability in early May that could enable attackers to insert and execute code on mobile devices.
WhatsApp said it made changes to its infrastructure last week to block the attacks, adding that only a select number of users appeared to have been targeted through the vulnerability by an advanced cyber actor, according to Bloomberg.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," a spokeswoman for the company said on Tuesday.
The statement follows a report by the Financial Times that attackers were able to install surveillance software, developed by Israeli company NSO Group, on iPhones and Android devices by calling targets using the app's phone call function.
The FT reported that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability and it began rolling out a fix to its servers on Friday last week and issued a patch for customers on Monday, according to Reuters.
WhatsApp said the attack has the hallmarks of a private company that works with governments to deliver spyware, which takes over control of mobile phone operating systems.
In a statement, NSO Group said its technology "is licensed to authorised government agencies for the sole purpose of fighting crime and terror". It added that it does not operate the system itself and "under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies".
WhatsApp said it has notified European data privacy regulators of the breach and has also provided US law enforcement information to conduct an investigation. It also said it had briefed human rights organisations to work with them to notify civil society.
Ireland’s Data Protection Commission said WhatsApp notified the regulator on Monday of a "serious security vulnerability" and that it is actively engaging with the company to check if any EU user data has been compromised.