Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp, it has been confirmed.
WhatsApp, which is owned by Facebook, said the attack targeted a "select number" of users, and was orchestrated by "an advanced cyber actor".
A fix was rolled out on Friday.
The attack was developed by Israeli security firm NSO Group, according to a report in the Financial Times.
On Monday, WhatsApp urged all of its 1.5 billion users to update their apps as an added precaution.
The attack was first discovered earlier this month.
WhatsApp promotes itself as a "secure" communications app because messages are end-to-end encrypted, meaning they should only be displayed in a legible form on the sender or recipient's device.
However, the surveillance software would have let an attacker read the messages on the target's device.
"Journalists, lawyers, activists and human rights defenders" are most likely to have been targeted, said Ahmed Zidan from the non-profit Committee to Protect Journalists.
How do I update WhatsApp?
Android
Open the Google Play store Tap the menu at the top left of the screen Tap My Apps & Games If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version The latest version of WhatsApp on Android is 2.19.134 iOS
Open the App Store
At the bottom of the screen, tap Updates If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version The latest version of WhatsApp on iOS is 2.19.51
How was the security flaw used? It involved attackers using WhatsApp's voice calling function to ring a target's device. Even if the call was not picked up, the surveillance software would be installed, and, the FT reported, the call would often disappear from the device's call log.
WhatsApp told the BBC its security team was the first to identify the flaw, and shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.
"The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” the company said on Monday in a briefing document note for journalists.
The firm also published an advisory to security specialists, in which it described the flaw as: "A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”
Prof Alan Woodward from the University of Surrey said it was a "pretty old-fashioned" method of attack.
"In a buffer overflow, an app is allocated more memory than it actually needs, so it has space left in the memory. If you are able to pass some code through the app, you can run your own code in that area," he explained.
"In VOIP there is an initial process that dials up and establishes the call, and the flaw was in that bit. Consequently you did not need to answer the call for the attack to work."
Some users of the app have questioned why the app store notes associated with the latest update are not explicit about the fix.
Who has been targeted?
WhatsApp said it was too early to know how many users had been affected by the vulnerability, although it added that suspected attacks were highly-targeted.
Amnesty International - which said it had been targeted by tools created by the NSO Group in the past - said this attack was one human rights groups had long feared was possible.
"They're able to infect your phone without you actually taking an action," said Danna Ingleton, deputy programme director for Amnesty Tech. She said there was mounting evidence that the tools were being used by regimes to keep prominent activists and journalists under surveillance.
"There needs to be some accountability for this, it can't just continue to be a wild west, secretive industry."
On Tuesday, a Tel Aviv court will hear a petition led by Amnesty International that calls for Israel's Ministry of Defence to revoke the NSO Group's licence to export its products.
<<Print>>