WhatsApp, which is part of Facebook, said it had notified the U.S. Department of Justice to help with an investigation, and encouraged all WhatsApp users to update to the latest version of the app, where the breach had been fixed.
WhatsApp, one of the most popular messaging tools in the world, is used by 1.5 billion people monthly. It has touted its high level of security and privacy, with messages on its platform being encrypted end to end so that WhatsApp and third parties cannot read or listen to them.
The company said it was still investigating the breach but believed only a “select number of users were targeted through this vulnerability by an advanced cyber actor.”
But its advice to all users to update came “out of an abundance of caution” and a recommendation by Citizen Lab, a research group at the University of Toronto. It did not disclose how many users were affected.
A WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance.”
WhatsApp said it was “deeply concerned about the abuse” of such surveillance technologies and that it believed human rights activists may have been the targets.
“We’re working with human rights groups on learning as much as we can about who may have been impacted from their community. That’s really where our highest concern is,” the spokesman said.
Citizen Lab tweeted: “We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer.”
Ireland’s Data Protection Commission (DPC), WhatsApp’s lead regulator in the European Union, said WhatsApp had notified the agency late on Monday of a “serious security vulnerability” on its platform.
“The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorised software and gain access to personal data on devices which have WhatsApp installed,” the regulator said in a statement.
Cyber security experts said the vast majority of users were unlikely to have been affected.
Scott Storey, a senior lecturer in cyber security at Sheffield Hallam University, believes most WhatsApp users were not affected since this appears to be governments targeting specific people, mainly human rights campaigners.
“For the average end user, it’s not something to really worry about,” he said, adding that WhatsApp found the vulnerability and quickly fixed it. “This isn’t someone trying to steal private messages or personal details.”
Storey said that disclosing vulnerabilities was a good thing and likely would lead to other services looking at their security.
The Financial Times initially reported on the WhatsApp vulnerability that allowed attackers to inject spyware on phones via the app’s phone call function.
The FT said the spyware was developed by Israeli cyber surveillance company NSO Group — best known for its mobile surveillance tools — and affects both Android and iPhones.
Asked about the report, NSO said its technology is licensed to authorised government agencies “for the sole purpose of fighting crime and terror,” and that it does not operate the system itself while having a rigorous licensing and vetting process.
“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system,” the company said. “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”
Social media group Facebook bought WhatsApp in 2014 for $19 billion.
Facebook co-founder Chris Hughes last week wrote in The New York Times that fellow co-founder Mark Zuckerberg had far too much influence by controlling Facebook, Instagram and WhatsApp, three core communications platforms, and called for the company to be broken up.
Facebook’s shares were down about 1.1 percent in New York.