You've heard the advice a million times. Don't click links in suspicious emails or texts. Don't download shady apps. But a new Financial Times report alleges that the notorious Israeli spy firm NSO Group developed a WhatsApp exploit that could inject malware onto targeted phones—and steal data from them—simply by calling them. The targets didn't need to pick up to be infected, and the calls often left no trace on the phone's log. But how would a hack like that even work in the first place?

WhatsApp, which offers encrypted messaging by default to its 1.5 billion users worldwide, discovered the vulnerability in early May and released a patch for it on Monday. The Facebook-owned company told the FT that it contacted a number of human rights groups about the issue and that exploitation of this vulnerability bears "all the hallmarks of a private company known to work with governments to deliver spyware." In a statement, NSO Group denied any involvement in selecting or targeting victims but not its role in the creation of the hack itself.

"This does indeed sound like a freak incident." Bjoern Rupp, CryptoPhone

So-called zero-day bugs, in which attackers find a vulnerability before the company can patch it, happen on every platform. It's part and parcel of software development; the trick is to close those security gaps as quickly as possible. Still, a hack that requires nothing but an incoming phone call seems uniquely challenging—if not impossible—to defend against.

WhatsApp wouldn't elaborate to WIRED about how it discovered the bug or give specifics on how it works, but the company says it is doing infrastructure upgrades in addition to pushing a patch to ensure that customers can't be targeted with other phone-call bugs.

"Remote-exploitable bugs can exist in any application that receives data from untrusted sources," says Karsten Nohl, chief scientist at the German firm Security Research Labs. That includes WhatsApp calls, which use the voice-over-internet protocol to connect users. VoIP applications have to acknowledge incoming calls and notify you about them, even if you don't pick up. "The more complex the data parsing, the more room for error," Nohl says. "In the case of WhatsApp, the protocol for establishing a connection is rather complex, so there is definitely room for exploitable bugs that can be triggered without the other end picking up the call."

VoIP calling services have been around for so long that you'd think any kinks in the basic call connection protocols would be worked out by now. But in practice, every service's implementation is a little bit different. Nohl points out that things get even trickier when you are offering end-to-end encrypted calling, as WhatsApp famously does. While WhatsApp bases its end-to-end encryption on the Signal Protocol, its VoIP calling functionally likely also includes other proprietary code as well. Signal says that its service is not vulnerable to this calling attack.

According to Facebook's security advisory, the WhatsApp vulnerability stemmed from an extremely common type of bug known as a buffer overflow. Apps have a sort of holding pen, called a buffer, to stash extra data. A popular class of attacks strategically overburdens that buffer so the data "overflows" into other parts of the memory. This can cause crashes or, in some cases, give attackers a foothold to gain more and more control. That's what happened with WhatsApp. The hack exploits the fact that in a VoIP call the system has to be primed for a range of possible inputs from the user: pick up, decline the call, and so on.

"This does indeed sound like a freak incident, but at the heart of it seems to be a buffer overflow problem that is unfortunately not too uncommon these days," says Bjoern Rupp, CEO of the German secure communication firm CryptoPhone. "Security never was WhatsApp's primary design objective, which means WhatsApp has to rely on complex VoIP stacks that are known for having vulnerabilities."