Skip to main content

Facebook said it discovered a vulnerability in WhatsApp earlier this month that allowed hackers to install spyware just by calling someone’s phone number through the app.ARUN SANKAR/AFP/Getty Images

Hackers exploited a bug in Facebook’s popular encrypted messaging service WhatsApp to remotely take control of the phones of iPhone and Android users.

The Financial Times reported that an Israeli company called NSO Group was behind the attack, which exposed a vulnerability in WhatsApp, a private-messaging service owned by Facebook that is used by 1.5 billion people. NSO Group sells sophisticated software to government agencies to fight crime and terrorism. But the company has been widely criticized for allowing its software to be used by repressive regimes to spy on human-rights activists, journalists and political dissidents.

Facebook said it discovered a vulnerability in WhatsApp earlier this month that allowed hackers to install spyware just by calling someone’s phone number through the app. The social-media giant said it believed the attack targeted only “a select few” people and that the company had informed both human-rights organizations as well as U.S. law-enforcement agencies of the breach. Facebook rushed through a fix late last week and urged users of WhatsApp to install an update to the software released on Monday.

The WhatsApp attack appears to be a major advancement in cyber-espionage technology that could potentially be used to exploit similar vulnerabilities in other mobile-phone applications, said Ron Deibert, director of The Citizen Lab, a research group at the University of Toronto’s Munk School of Global Affairs and Public Policy that helped to uncover the attack.

The attackers were able insert code into users’ smartphones through a feature that lets people use the app to call each other over the internet. The program can covertly take over control of a phone, including turning on the microphone and camera, disabling security settings, reading messages, tracking location data and accessing personal contacts.

While Facebook did not confirm the Financial Time’s report that NSO Group was behind the attack, the Silicon Valley firm said the hack was orchestrated by “an advanced cyberactor” and “has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile-phone operating systems.”

In a statement posted on Twitter Tuesday, NSO Group denied being behind the attack. It said its technology is licensed only to vetted government agencies and that NSO has little control over how governments use its tools. “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law-enforcement agencies,” the company said.

In the past, hackers would typically target users by sending them text messages or e-mails that pointed them toward a link on the internet. Users would have to click on the link to download the malicious software. But the attack on WhatsApp allowed hackers to download software onto a phone just by calling a number, even if the person at the other end of the line didn’t answer. The software could then take over a phone and delete evidence of the attack, making it harder to track.

“To me it’s kind of like a nuclear option when it comes to surveillance technology,” The Citizen Lab’s Mr. Deibert said. “There’s no need to trick anyone. You simply have to have their phone number.”

WhatsApp discovers spyware that can infect through calls

Private message: Facebook’s push into group chats is about ad growth as much as consumer tastes

Mark Zuckerberg outlines Facebook’s transformation to a ‘private social platform’

The attack also highlights some of the limitations of encrypted messaging services, which Facebook chief executive Mark Zuckerberg had recently touted as secure technology that can limit the ability of governments to access personal communication.

In the past, governments could simply compel phone and internet companies to hand over unencrypted messages.

But the growth of encrypted messaging services such as WhatsApp, which prevent companies from seeing the content of messages, has helped fuel a growing appetite for sophisticated software programs that allow governments to break through the extra security features, Mr. Deibert said.

The Citizen Lab has been tracking NSO Group’s software for several years. Last fall, the group released a report saying it had “high confidence” that Saudi intelligence officials had used NSO’s surveillance software to target a 27-year-old Quebecker named Omar Abdulaziz. Mr. Abdulaziz is a dissident Saudi activist with an active presence on social media who was a close confidante of murdered Washington Post columnist Jamal Khashoggi.

Earlier this month, a British lawyer representing several defendants in a lawsuit against NSO Group, including Mr. Abdulaziz, contacted The Citizen Lab after the lawyer started receiving phone calls at odd hours of the night to his WhatsApp account from Sweden.

The Canadian researchers analyzed the network traffic on the lawyer’s phone and alerted Facebook to the suspicious activity on WhatsApp. Mr. Deibert said The Citizen Lab researchers did not confirm the attackers were using NSO Group technology.

The researchers met with the lawyer on Sunday to test his phone and determined that Facebook had successfully fixed the problem, Mr. Deibert said.

With a report from Colin Freeze