WhatsApp Discovers ‘Advanced’ Surveillance Hacks

WhatsApp has urged all of its 1.5 billion users to update their software to fix a vulnerability that it said was being actively exploited to implant advanced surveillance tools on users’ devices.

The Facebook-owned company released the fix over the weekend after discovering the vulnerability earlier this month.

The bug was used to implant spyware developed by Israeli developer NSO Group, whose surveillance tools are intended for use by governments and law enforcement agencies, according to an unnamed surveillance software maker cited by the Financial Times.

When attackers rang up a target’s phone, the malicious code would automatically infect the device even if the call was not answered, WhatsApp said in a technical document on the issue.


The attack involved a buffer overflow vulnerability in WhatsApp’s voice over internet protocol (VOIP) stack that allowed remote code execution via a series of specially crafted secure real-time control protocol (SRTCP) packets, WhatsApp said.

The company began rolling out a fix to its servers on Friday, releasing the client update via Google Play on Saturday and on Apple’s App Store on Monday.

WhatsApp’s app store release notes for the latest versions do not mention the security fix.

The company bills its software as providing end-to-end encrypted messaging that can’t be read by outsiders or by WhatsApp itself.

The company acknowledged that the vulnerability had been used to install spyware, without mentioning NSO by name.

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp said in a statement.

“We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”

Targeted attacks

WhatsApp said its own security team initially discovered the bug, and notified human rights groups, select security vendors and the US Department of Justice earlier in May.

The company said it is not yet able to estimate how many WhatsApp users were affected, but that attacks were likely to have been highly targeted and to have affected only select users.

The attacks were carried out by an “advanced cyber actor”, WhatsApp said.

NSO’s flagship product, Pegasus, allows users to take over the target’s microphone and camera and to gather location data.

The company is partly owned by British private equity fund Novalpina Capital, which participated in a leveraged buyout of NSO in February.

NSO said it does not operate Pegasus itself and does not determine how it is used.

“NSO’s technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror,” the group said.

“NSO would not or could not use its technology in its own right to target any person or organisation.”

But Amnesty International, which alleges it has been targeted by NSO’s tools in the past, told the BBC that NSO should be held accountable for the way in which its products are used.

On Tuesday the human rights group is to appear before a Tel Aviv court to call on Israel’s Ministry of Defence to revoke NSO’s export licence.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Microsoft Recall Triggers Enquiry From UK Data Regulator

Privacy concerns. ICO seeks feedback after Microsoft introduces AI Recall feature that screenshots users' laptops…

2 hours ago

Upcoming Honor Smartphones To Feature Google AI Tech

Honor will include Google AI features in upcoming devices, despite geopolitical tensions between Washington and…

3 hours ago

Amazon To Refresh Alexa With AI, Charge Monthly Subscription – Report

Alexa voice assistant to be upgraded with AI capabilities, and users charged a monthly fee…

4 hours ago

Electric Vehicles Twice As Likely To Hit Pedestrians – Study

Study analysed UK road collisions, finds pedestrians twice as likely to be hit by an…

6 hours ago

EU Countries Endorse AI Act, Due Next Month

European countries have officially endorsed the flagship EU AI Act, which is due to come…

8 hours ago

SpaceX Demos First Video Call Of T-Mobile’s Direct To Cell Service

Video call made from one smartphone connected to Starlink satellite, to another phone connected to…

10 hours ago