Even though WhatsApp rolled out end-to-end encryption to its platform back in 2014, the service is subject to cyberattacks from time to time. In 2016, its users were targeted by a phishing scam which stole credentials if a user opened attachments in email that were apparently sent by WhatsApp.
This time, however, the attack appears to be very sophisticated, so much so that it was apparently able to install Israeli spyware on victim Android and iOS devices.
As reported by Financial Times, a vulnerability was discovered in WhatsApp by the Facebook-owned company in May. Apparently, this exploit had been available for weeks, and allowed attackers to inject Israeli spyware into Android and iOS devices by simply calling them. What's disturbing about this attack is that these calls did not have to be answered in order to install the spyware, and in many cases, they disappeared from call logs altogether. The exploit reportedly caused a buffer overflow in WhatsApp's VoIP stack by sending Secure RTP Control Protocol (SRTCP) packets to target phone numbers.
The report claims that the code for the attack was crafted by Israeli security company NSO Group, and it is purported that it was used to exploit the account of a UK lawyer as well, who declined to be identified. However, NSO Group has declined any wrongdoing, saying that:
Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not, or could not, use its technology in its own right to target any person or organization, including this individual [the UK lawyer].
NSO, which is valued at $1 billion, is known for its flagship product Pegasus, which it sells to security companies and governments to fight terrorism. The software can turn on the microphone and camera of the device, infiltrate email and messages, and also collect location data. The company is currently facing intense legal pressure in Israel from human rights groups such as Amnesty International.
That said, it is important to note that while WhatsApp has stated that the vulnerability was probably exploited by a company which has worked with governments in the past, it has not explicitly named NSO. In a statement, it went on to say that:
This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.
WhatsApp is still in the early stages of its investigations so it's not yet clear how many people were affected by the exploit. The company delivered a fix to its server last Friday and sent out an update to its application yesterday, urging affected users to upgrade.