Want the best from VICE News in your inbox? Sign up here.
A critical flaw in the popular messaging service WhatsApp allowed hackers to compromise a victim’s phone simply by calling them.
The powerful attack allows hackers to inject malicious code onto a target’s phone using WhatsApp’s phone calling feature — and the victim doesn’t even need to answer the call for the spyware to be installed. The attack also wiped call logs to prevent victims realizing they were hacked.
WhatsApp, which has 1.5 billion users globally, said it was made aware of the flaw in early May and has now patched the vulnerability for both Android and iPhone, encouraging all users to upgrade to the latest version of the app.
The company told VICE News that “an advanced cyber actor” targeted “a select number of users” using this vulnerability, but did not disclose who was behind the attacks.
But a report from the Financial Times claims that controversial Israeli company NSO Group developed the method of attack to inject its Pegasus spyware onto victim’s phones.
Pegasus, which is sold to governments and law enforcement agencies around the world, gives users unfettered access to almost all aspects of a victim’s device, including the camera and microphone, and all data and accounts linked to the phone.
According to the FT, the vulnerability was used as recently as Sunday to try and install Pegasus on the phone belonging to a U.K.-based human rights lawyer who represents a group of Mexican journalists, government critics, and a Saudi Arabian dissident — all of whom say the spyware has been used to track their activity.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” WhatsApp said in a statement. “We have briefed a number of human rights organizations to share the information we can and to work with them to notify civil society.”
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware."
WhatsApp also informed the U.S. Department of Justice about the flaw last week.
But NSO says it only sells its powerful hacking tools to governments and law enforcement agencies and doesn’t use them itself.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” a spokesperson for the company told the FT. “NSO would not, or could not, use its technology in its own right to target any person or organization, including this individual.”
NSO has gained a reputation for being one of the foremost vendors of surveillance and hacking tools to governments around the world. It has been selling the powerful Pegasus tool since 2011, but it first came to public attention in 2016 when a Dubai-based human rights activist was targeted with the hacking tool.
Then, in December 2018, the company hit the headlines when the New York Times reported that the company helped Saudi Arabia spy on the Washington Post journalist Jamal Khashoggi before he was killed in the Saudi consulate in Istanbul.
But this is not the first time the company has been accused of exploiting WhatsApp to target victims. Back in August, Amnesty International warned that its staff were being targeted with NSO’s surveillance tools by attackers who sent WhatsApp messages that contained links that, if clicked, would download the spyware..
Cover: Soeren Stache/Picture-Alliance/DPA/AP Images