WhatsApp has urged all of its users to update the messaging app on their phones after a serious spyware flaw was found.
The service is used by three-quarters of Irish adults and has become the bedrock of community organisations, social and family groups.
However, the app’s engineers discovered that it could allow spyware into a user’s phone simply by another person making a WhatsApp voice call to the user’s device.
Chillingly, the call does not have to be answered for the spyware ‘payload’ to work. A WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance”.
The company, which is part of Facebook, has informed the Irish Data Protection Commissioner (DPC) as the entity’s lead regulator in the EU.
“The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorised software and gain access to personal data on devices which have WhatsApp installed,” said a spokesman for Helen Dixon’s office in a statement.
“WhatsApp is still investigating as to whether any WhatsApp EU user data has been affected as a result of this incident,” the DPC said, adding that WhatsApp informed it of the incident late on Monday.
In the meantime, WhatsApp has advised users to update the app to a new version in the iPhone App Store or Google Play Store, which it claims is not vulnerable to the spyware attack.
WhatsApp, one of the most popular messaging tools in the world, is used by 1.5 billion people monthly. It has touted its high level of security and privacy, with messages on its platform being encrypted end to end so that WhatsApp and third parties cannot read or listen to them.
The company said it was still investigating the breach but believed only a “select number of users were targeted through this vulnerability by an advanced cyber actor”.
The ‘Financial Times’ initially reported on the WhatsApp vulnerability. It said the spyware was developed by Israeli cyber surveillance company NSO Group – best known for its mobile surveillance tools – and affects both Android and iPhones.
WhatsApp said it was “deeply concerned about the abuse” of such technologies and that it believed human rights activists may have been the targets.
“We’re working with human rights groups on learning as much as we can about who may have been impacted from their community. That’s really where our highest concern is,” a WhatsApp spokesman said.
Asked about the report, NSO said its technology is licensed to government agencies “for the sole purpose of fighting crime and terror”, and that it does not operate the system itself while having a rigorous licensing and vetting process.
“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system,” the company said.