A vulnerability inside WhatsApp has allowed attackers to infiltrate phones with spyware developed by Israeli developer NSO Group. Both WhatsApp and NSO Group have now confirmed that the exploit was present inside WhatsApp’s voice calling feature which allowed attackers to load the spyware into phones running Android or iOS.
The malicious code was transmitted by calling users on WhatsApp and the method even worked when the call was not answered, says The Financial Times. In several instances, the call would disappear from the call logs, which meant that there was a possibility that users never knew they received the call in the first place, let alone know that they had been targeted by spyware.
NSO Group’s Pegasus spyware which was used by the attackers to access users’ camera, microphone, location and all the texts. While WhatsApp hasn’t identified the perpetrators behind the exploit, the company has alerted human rights groups and the US Justice Department. The messaging service also revealed that the attackers had all the traits of a private company which could be working with governments to push spyware.
NSO has, however, rejected such a notion on its behalf. The developer said “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual”.
WhatsApp has since then sent a fix for the issue through a server-side on Friday. The app has been updated with the same on Monday.