WhatsApp on Tuesday encouraged its users to upgrade the app to plug a security breach that allowed sophisticated attackers to sneak spyware into phones, in the latest trouble for its parent Facebook.
The vulnerability — first reported by the Financial Times, and fixed in the latest WhatsApp update — allowed hackers to insert malicious software on phones by calling the target using the app, which is used by 1.5 billion people around the world.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesperson said in a statement to AFP.
The FT cited a spyware dealer as saying the tool was developed by a shadowy Israel-based firm called the NSO Group, which has been accused of helping governments from the Middle East to Mexico snoop on activists and journalists.
And security researchers said the malicious code bore similarities to other tech developed by the firm, according to The New York Times.
The latest exploit — which impacts Android devices and Apple’s iPhones, among others — was discovered earlier this month and WhatsApp scrambled to fix it, rolling out an update in less than 10 days.
The firm did not comment on the number of users affected or who targeted them, and said it had reported the matter to US authorities.
It also informed authorities in Ireland about the “serious security vulnerability”, according to a statement by the country’s Data Protection Commission (DPC).
“The DPC is actively engaging with WhatsApp Ireland to determine if and to what extent any WhatsApp EU user data has been affected,” it said.
It echoed WhatsApp in encouraging users to update the app, as “the possibility remains that EU users were affected”.
The breach is the latest in a series of issues troubling WhatsApp’s parent Facebook, which has faced intense criticism for allowing its users’ data to be harvested by research companies and over its slow response to Russia using the platform as a means to spread disinformation during the 2016 US election campaign.