NSO hijacked hundreds of smartphones via a security vulnerability in WhatsApp. (Tim Reckmann/Flickr)

An Israeli company enabled the hacking of American citizens’ phones – possibly including some belonging to government officials.

The NSO Group’s spy software used a security vulnerability in WhatsApp to hijack the phones of at least 1,400 people in the spring, a Reuters report revealed on Thursday.

The news agency spoke to sources familiar with an internal WhatsApp investigation into the breach.

The targets were spread across more than 20 countries, many of them US allies, Reuters reported.

Their sources stated that a “significant” number of the known victims were high-profile government and military officials.

Some of the victims are in the United States, the United Arab Emirates, Bahrain, Mexico, Pakistan and India, according to Reuters’ sources.

But the news agency stated it “could not verify whether the government officials were from those countries or elsewhere.”

WhatsApp

WhatsApp – a smartphone messaging service owned by Facebook – first revealed the attack soon after it patched up the vulnerability in May.

The spyware, named Pegasus, is an incredibly sophisticated and dangerous cyberweapon which allows its operator to essentially hijack entire smartphones – not only WhatsApp.

A now-fixed security flaw in WhatsApp was the point of infection.

The spyware’s controllers can steal contact lists, passwords, text messages and listen in on phone calls.

Pegasus even gives snoopers the ability to switch on the phone’s camera and microphone, effectively turning it into a weapon against its owner.

Hacking

It has been known for some years now that NSO Group and other Israeli cyberwarfare mercenaries have allowed and enabled the targeting of human rights defenders, journalists and politicians around the world.

But this latest report last week shows that Americans too are being targeted by whoever NSO is selling its multi-million-dollar software to.

WhatsApp filed a lawsuit in California last week against NSO, and the internal report seen by the Reuters sources is seemingly part of that case.

According to Canadian cyber security organization Citizen Lab, the breach involved “over 100 cases of abusive targeting of human rights defenders and journalists.”

Although NSO has in the past defended its actions claiming its products are meant to help only legitimate governments catch criminals and “terrorists,” the internal WhatsApp investigation reportedly shows that that is untrue.

“Prior to notifying victims,” Reuters reported, “WhatsApp checked the target list against existing law enforcement requests for information relating to criminal investigations, such as terrorism or child exploitation cases.”

According to Reuters’ sources, not a single one of those targeted was an alleged criminal or terrorist.

Similar to other internet firms, WhatsApp maintains an online portal through which government law enforcement agencies can request information on its users.