The WhatsApp hole was used to target a London lawyer who has been involved in lawsuits that accuse NSO Group of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists, the researchers said. The researchers believe the list of targets could be much longer.

Digital attackers could use the vulnerability to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call. As WhatsApp’s engineers examined the vulnerability, they concluded that it was similar to other tools from the NSO Group, because of its digital footprint.

The lawyer, who spoke on the condition of anonymity because he feared retribution, said he had grown suspicious that his phone had been hacked when he started missing WhatsApp video calls from Swedish telephone numbers at odd hours. The lawyer contacted Citizen Lab at the Munk School of Global Affairs at the University of Toronto, which has helped uncover the use of NSO Group products in attacks on journalists, dissidents and activists.

Ten days ago, as Citizen Lab was looking into the incident, engineers at WhatsApp discovered what they described as abnormal voice calling activity on their systems, said a WhatsApp employee familiar with the investigation, who spoke on the condition of anonymity because the investigation was continuing.

WhatsApp alerted human-rights organizations about the threat and learned from Citizen Lab that the vulnerability had been used to target the lawyer.