WhatsApp voice calls used to inject Israeli spyware, FT reports

Messaging app discovers vulnerability that has been open for weeks, the British newspaper claims

The Facebook Inc. WhatsApp application is displayed in the App Store on an Apple Inc. iPhone in an arranged photograph taken in Arlington, Virginia, U.S. on Monday, April 29, 2019. Facebook paid out a $123 million fine to EU antitrust regulators for failing to provide accurate information during their review of Facebook's WhatsApp takeover. Photographer: Andrew Harrer/Bloomberg
Powered by automated translation

A vulnerability in WhatsApp has allowed attackers to inject commercial Israeli spyware on phones, the Financial Times reported, citing the messaging app company and a spyware technology dealer.

WhatsApp discovered in early May that attackers were able to install surveillance software on to iPhones and Android phones by calling up targets using the app's call function, the FT said in an article on May 13.

The malicious code is developed by the secretive Israeli company NSO Group and can be transmitted to users even if they did not answer their phones, with the calls often disappearing from the call log, according to the spyware dealer who was briefed on the WhatsApp hack.

WhatsApp is in the midst of its own investigation into the vulnerability but the inquiry is in too early stages to estimate how many phone users were targeted, the FT said, citing a source.

WhatsApp engineers raced to close the loophole as late as Sunday, working round the clock in San Francisco and London, and the company began rolling out a fix to its servers on Friday last week, WhatsApp said.

WhatsApp notified the US Department of Justice last week of the issue. A justice department spokesman declined to comment to the newspaper.

Asked about the WhatsApp attacks, NSO said it was investigating the issue. 
"Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies," the company said in a statement to the FT.

“NSO would not, or could not, use its technology in its own right to target any person or organisation."