The company urges its 1.5 billion users to update after finding devices were tapped using a vulnerability in the software
The Facebook-owned company released the fix over the weekend after discovering the vulnerability earlier this month.
The bug was used to implant spyware developed by Israeli developer NSO Group, whose surveillance tools are intended for use by governments and law enforcement agencies, according to an unnamed surveillance software maker cited by the Financial Times.
When attackers rang up a target’s phone, the malicious code would automatically infect the device even if the call was not answered, WhatsApp said in a technical document on the issue.
The attack involved a buffer overflow vulnerability in WhatsApp’s voice over internet protocol (VOIP) stack that allowed remote code execution via a series of specially crafted secure real-time control protocol (SRTCP) packets, WhatsApp said.
The company began rolling out a fix to its servers on Friday, releasing the client update via Google Play on Saturday and on Apple’s App Store on Monday.
WhatsApp’s app store release notes for the latest versions do not mention the security fix.
The company bills its software as providing end-to-end encrypted messaging that can’t be read by outsiders or by WhatsApp itself.
The company acknowledged that the vulnerability had been used to install spyware, without mentioning NSO by name.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp said in a statement.
“We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
WhatsApp said its own security team initially discovered the bug, and notified human rights groups, select security vendors and the US Department of Justice earlier in May.
The company said it is not yet able to estimate how many WhatsApp users were affected, but that attacks were likely to have been highly targeted and to have affected only select users.
The attacks were carried out by an “advanced cyber actor”, WhatsApp said.
NSO’s flagship product, Pegasus, allows users to take over the target’s microphone and camera and to gather location data.
The company is partly owned by British private equity fund Novalpina Capital, which participated in a leveraged buyout of NSO in February.
NSO said it does not operate Pegasus itself and does not determine how it is used.
“NSO’s technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror,” the group said.
“NSO would not or could not use its technology in its own right to target any person or organisation.”
But Amnesty International, which alleges it has been targeted by NSO’s tools in the past, told the BBC that NSO should be held accountable for the way in which its products are used.
On Tuesday the human rights group is to appear before a Tel Aviv court to call on Israel’s Ministry of Defence to revoke NSO’s export licence.