A new report has revealed that a flaw in the end-to-end encrypted messaging service WhatsApp has been exploited by hackers and used to plant commercial Israeli spyware on Android and iOS devices.
The report from the Financial Times says that the vulnerability allowed attackers to install malicious code developed by the Israeli cyber intelligence firm NSO Group Technologies onto their target’s phones via WhatsApp’s phone call feature. Attackers would plant the surveillance software code by calling their targets and hanging up. The calls did not need to be answered and would often disappear from WhatsApp call logs.
WhatsApp reportedly discovered the vulnerability in May and is still conducting investigations into how many of its 1.5 billion users were targeted with this method. WhatsApp also reported this system vulnerability to the US Department of Justice last week.
According to the Financial Times, WhatsApp engineers began rolling out fixes via WhatsApp’s servers on Friday, May 10 and released a patch for customers on Monday, May 13.
The Financial Times adds that a human rights lawyer based in the UK was targeted through this WhatsApp vulnerability on Sunday, May 12. The lawyer has helped some of his clients sue NSO Group Technologies in Israel, claiming that the company should share liability if its software is abused by clients.
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which studies information controls that impact the security of the internet, says that the attack failed:
“We had a strong suspicion that the person’s phone was being targeted, so we observed the suspected attack, and confirmed that it did not result in infection. We believe that the measures that WhatsApp put in place in the last several days prevented the attacks from being successful.”
NSO Group Technologies said that it is conducting its own investigations into the targeting of the UK lawyer via WhatsApp and gave the following statement to the Financial Times:
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not, or could not, use its technology in its own right to target any person or organization, including this individual [the UK lawyer].”
The news of this attack and the vulnerability in WhatsApp comes less than a day before the filing of a legal action which will demand that the Israeli Ministry of Defense (Mod) revokes the export license of NSO Group Technologies.