Billions of people are being urged to update their WhatsApp messaging app in the wake of news that a seemingly innocuous voice call could allow hackers access to their phone.
The security vulnerability allowed hackers to install surveillance software, even if a user didn’t answer the call, the Financial Times reported.
It’s not yet known how many people were targeted or affected. But the company updated its software, fixed the security flaw and is asking users to update their app.
A WhatsApp spokesperson said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance.”
But questions remain about who was targeted and why.
The Financial Times reported the hack was done by spyware made by the Israeli cyber surveillance company NSO Group.
WATCH: What you should do if your email gets hacked
The group is known for creating the malware called Pegasus, which allows hackers to access messages, location services, wifi passwords and other data.
“It’s a very advanced spyware,” said Iman Sharafaldin, a cybersecurity researcher at the Canadian Institute for Cybersecurity in New Brunswick.
“Your phone will become a permanent spy in your life, even if you disable the deepest sleep mode. It permanently records and it hijacks your camera, it hijacks your microphone and permanently spies on you.”
Asked about the report, NSO said its technology is licensed to authorized government agencies “for the sole purpose of fighting crime and terror” and that it does not operate the system itself while having a rigorous licensing and vetting process.
WATCH: Help wanted — Canada struggling for experts in war against hackers
“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system,” the company said. “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”
But human rights agency Amnesty International says the company’s safeguards around who it sells its software to are “ineffective.”
“The company has failed to disclose its due diligence process, except for veiled references to the existence of an ethics committee,” a release from Amnesty International reads. “It remains unclear what factors are taken into consideration before the company sells an inherently invasive product like Pegasus.”
Amnesty International, along with other human rights groups, says it is supporting legal action asking the Israeli Ministry of Defence to revoke the export licence of NSO Group.
Human rights agencies targeted
WhatsApp said it was “deeply concerned about the abuse” of such surveillance technologies and that it believed human rights activists may have been the targets.
“We’re working with human rights groups on learning as much as we can about who may have been impacted from their community. That’s really where our highest concern is,” a company spokesman said.
Toronto-based Citizen Lab research shows multiple previous instances of Pegasus software being used by bad actors, saying there is “empirical evidence that NSO Group’s technology has been used abusively and illegally to spy on civil society, human rights defenders and journalists, among other targets.”
Most notably, Citizen Lab notes a Saudi dissident — who had contact with journalist Jamal Khashoggi — was targeted by Pegasus software linked to Saudi Arabia.
—With files from Reuters