Facebook-owned WhatsApp on Monday disclosed the recent fix of a VoIP-related vulnerability that allowed nefarious parties to remotely install spyware on both iOS and Android handsets.
Discovered in early May, the now-patched bug in the app’s audio call feature allowed hackers to deliver a spyware payload to target devices, a process that worked even if the WhatsApp call recipient failed to answer.
It took WhatsApp less than ten days to patch the security hole following its discovery, reports TechCrunch. How long the vulnerability existed without detection is unknown, but the company confirmed hackers took advantage of the window to install an unknown number of malicious payloads.
Although WhatsApp did not name a specific company or spyware variant associated with the security breach, a statement on the matter points to Israeli vendor NSO Group.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp said.
NSO develops and markets a well-known and notoriously effective piece of spyware called Pegasus. Typically reserved for government buyers, Pegasus is often used by law enforcement agencies to gain wide access to key device functions and data stores.
Apple has in the past attempted to patch flaws in iOS and macOS leveraged by Pegasus, but NSO continues to uncover and exploit zero-day vulnerabilities in iOS to keep its product functional.
WhatsApp believes only a small number of users were impacted by attacks, noting only advanced and highly motivated actors would be capable of leveraging the bug, the report said.
The company alerted the U.S. Justice Department and various human rights organizations after discovering the vulnerability, and urges users to update their respective app versions to protect against future attacks.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” WhatsApp said in a statement.