WhatsApp discovered a disturbing security breach early this month when they found that dozens of users had been hacked. The Facebook subsidiary found that the hack occurred when one or two missed calls were received from an unfamiliar number, enabling the malicious code was shipped onto their phone via that missed call, without any user intervention.
“We are deeply concerned about the abuse of such capabilities,” WhatsApp said in a statement.
The unnamed spokesperson said that a number of people, perhaps dozens, were infected with the malware which the company discovered in early May.
A researcher at University of Toronto’s Citizen Lab – an internet watchdog – called the hack ‘a very scary vulnerability’. He said, “there’s nothing a user could have done, short of not having the app.” WhatsApp is one of the most widely used apps in the world with over 1.5 billion users.
Citizen Lab added that they think the attack was linked to a vulnerability that WhatsApp was already trying to patch. This tracks with the comment from the WhatsApp spokesperson who said that engineers discovered the hack of the in-app voice calls when they were making additional security enhancements to that same feature.
Upon discovering the breach, a team of engineers in San Francisco and London worked round the clock to fix issue. WhatsApp began rolling out a fix on Friday, 10 May and the updated version of WhatsApp was issued on Monday. They also immediately contacted Citizen Lab and human rights groups as well as the relevant US authorities to inform them of the hack.
The Financial Times identified Israel’s NSO Group as the ‘actor’ responsible for the creation of the spyware behind the hack. The NSO Group is a technology firm focused on cyber intelligence.
In a statement, a WhatsApp spokesperson said, “we’re certainly not refuting any of the coverage you’ve seen”, referring to the news about the leak which has been widely reported by international press.
The spokesperson added “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
The company said it has disclosed the issue to the US Department of Justice last week and have provided information to assist US authorities in their investigations.
The reach of Israeli cyber intelligence firm
NSO in a statement did not deny that it was the creator of the spyware that was used in the WhatsApp hack.
“NSO’s technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions,” the statement said.
“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organization, including this individual,” it added.
The hack has brought to life concerns and questions over the NSO’s spyware technology which can be used to hijack smartphones and control their cameras, turning them into pocket-sized surveillance devices without the users even knowing.
According to an article by the Times of Israel, NSO’s spyware has been used to hack journalists, lawyers, human rights defenders and dissidents. The spyware, called Pegasus, has also been implicated in the tragic killing of Saudi journalist Jamal Khashoggi who was killed in the Saudi consulate in Israel last year and whose body is yet to be found.
Several alleged targets of this spyware including close friends of Khashoggi and several Mexican civil society figures are currently suing the company in Israeli Court over the hacking.
Another target of that same NSO spyware last year was an Amnesty International staffer. As such, the non-profit said it is joining a legal bid to force Israel’s Defence Ministry to suspend NSO’s export licence.