WhatsApp had a scary flaw that secretly sent spyware to smartphones simply by calling the victim.

On Monday, the Facebook-owned messaging service disclosed the vulnerability, which affects iOS and Android, after it was used to attack a number of victims, a WhatsApp spokesperson told PCMag.

"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date," the spokesperson said in an email.

According to WhatsApp, the attacks have all the hallmarks of a private company that works with governments to deliver spyware to mobile phones. Although it refrained from naming the company, WhatsApp is probably referring to NSO Group, an Israeli technology firm notorious for developing a spyware program known as Pegasus, which has targeted human rights activists, politicians, and journalists.

The WhatsApp vulnerability allegedly allowed NSO Group to send spyware to the victims even when didn't answer a voice call on the app, according to The Financial Times, which was first to report the news.

The vulnerability deals with the voice over IP (VoIP) function on WhatsApp, which can enable internet-based voice calls. A bug in the VoIP function could let the attacker send specially crafted data packets to essentially rewrite the app's memory, paving the way for remote code execution.

WhatsApp told PCMag it identified the vulnerability earlier this month and promptly fixed it with patches that can be downloaded on the iOS and Android versions of the app. The chat service also changed its IT infrastructure to prevent the attack from taking place.

It isn't clear how many victims were targeted. But it may have been used to attack a UK-based human rights lawyer on Sunday, according to Citizen Lab, a watchdog group at the University of Toronto, which has been investigating NSO Group's activities.

WhatsApp has just pushed out updates to close a vulnerability. We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer. Now is a great time to update your WhatsApp software https://t.co/pJvjFMy2aw https://t.co/e8VQUraZWQ — Citizen Lab (@citizenlab) May 13, 2019

The vulnerability is found in WhatsApp for Android prior to version v2.19.134 and WhatsApp for iOS prior to v2.19.51. The WhatsApp Business apps and Windows Phone and Tizen versions are also affected. You can find out more here.

In a statement, NSO Group defended its technologies, saying they're designed for the purposes of helping governments fight crime and terrorism. "The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions," NSO Group said.

"We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies," the company added.

Further Reading

VoIP & Phone Service Reviews