There’s a lot of talk about protecting yourself from hacking: don’t download attachments or click links sent from people you don’t know, or the use of strong, unhackable passwords.
But a new threat cropped up Tuesday after reports hackers were using the messaging app WhatsApp to gain access to phones even if the user didn’t do anything to allow it.
The Financial Times reported that Israeli-made surveillance spyware called Pegasus was installed on phones by ringing up targets using WhatsApp’s call feature.
The software was installed even if you didn’t pick up the call, and the calls often disappeared from the call logs, the Financial Times reported.
Most hacks commonly reported come from data leaks, or phishing attempts – these usually focus on making money. Credit card data, passwords or banking information is then used to make the hackers money.
WATCH: WhatsApp urges upgrade to thwart spyware attack
But in this case, a WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance.”
That user interaction is something like clicking a link from a malicious email or SMS message, but Sharafaldin said that “in this case actually you don’t need any of them.”
The software, called a “no-click attack,” was instead installed “remotely” – without any input from the user.
“The attack was also very stealthy, given that it required no user input (a no-click attack) and allowed hackers to access target devices discreetly,” Andrew Tsonchev, director of technology at AI firm Darktrace, said in an email.
“It challenges our expectations of which platforms are secure and which are not.”
The company could not say how many people might have been affected, but officials believe only a “select number of users were targeted through this vulnerability by an advanced cyber actor.”
Officials said they’re “deeply concerned about the abuse” of such surveillance technologies and that it believed human rights activists may have been the targets.
Scott Storey, a senior lecturer in cybersecurity at Sheffield Hallam University, believes most WhatsApp users were not affected since this appears to be governments targeting specific people.
“For the average end user, it’s not something to really worry about,” he said, adding that WhatsApp found the vulnerability and quickly fixed it. “This isn’t someone trying to steal private messages or personal details.”
WATCH: Phishing scam spoofing familiar websites to fool you
Still, WhatsApp users are urged to update their app; a patch to fix the security vulnerability was released Monday.
To do that, users can go to their Google or Apple app store, finding WhatsApp, and clicking “update.”
The security breach was also reported to the U.S. Department of Justice and Ireland’s Data Protection Commission.
Tips for users
Sharafaldin also shared some tips for users to protect from all types of security vulnerabilities.
“My suggestion is that if you have sensitive data on your phone please restrict any application from accessing your camera,” he said.
WATCH: Cybersecurity report shows threat to businesses, elections
He also suggested making sure to delete messages that contain sensitive data. For example, if you share passwords over text or on a messaging app, remember to go back and delete the message.
Users should also be looking for signs their phone is infected such as a spike in battery use or data usage.
“The way that spyware works is they disable the deeper sleep mode and they constantly spy on you,” Sharafaldin said, meaning they are constantly using battery power and data.
He also suggested getting monitoring software like the Lookout app.
*with files from Reuters