WhatsApp says a vulnerability in the popular communications app let mobile phones be infected with sophisticated spyware with a missed in-app call alone.

The Facebook subsidiary says “an advanced cyber actor” infected an unknown number of people with the malware, which it says it discovered in early May. A WhatsApp spokesman who would not be further identified said an amount in the dozens at least would not be inaccurate.

WhatsApp said the attack had all the hallmarks of a private company known to work with governments to infect phones.

The Financial Times identified the company Monday as Israel’s NSO Group, whose Pegasus software is known to have been used against rights activists.

WhatsApp said it contacted human rights groups, quickly fixed the issue and pushed out a patch.