WhatsApp has fixed a vulnerability in the app’s calling feature that allowed cybercriminals to inject spyware on people phones, a media report has said. The spyware, called Pegasus, was developed by Israeli company NSO Group that licenses its products to governments to fight terrorism and crime. According to The Financial Times, which first reported the development, the spyware could be installed on iPhones as well as on Android devices; all an attacker has to do is make a WhatsApp call to the target.
The company says that it fixed the vulnerability on Sunday and issued a patch for customers on Monday. “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society,” the company said without naming NSO Group.
WhatsApp, an instant messaging app used by 1.5 billion people worldwide, disclosed the issue to the US Department of Justice last week, Financial Times cited a person familiar with the matter, as saying. Meanwhile, NSO said that it had carefully “vetted customers and investigated any abuse.” The company also says that it is investigating the issue. “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not, or could not, use its technology in its own right to target any person or organisation,” NSO was quoted as saying.
Pegasus is NSO’s flagship programme that can turn on a phone’s microphone and camera, and collect location data. The company has Middle Eastern and Western intelligence agencies as its customers. It is suspected that the attack was launched by a Middle Eastern country to allegedly suppress the criticism of its human rights practices. The report said that in the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones.
As late as on May 12, there was an attempt to compromise the phone of a UK-based human rights lawyer who helped a Saudi dissident in Canada, and sue NSO in Israel. John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, said the attack had failed. “We had a strong suspicion that the person’s phone was being targeted, so we observed the suspected attack, and confirmed that it did not result in infection,” added Scott-Railton.