Spyware crafted by a sophisticated group of hackers-for-hire took advantage of a WhatsApp flaw to remotely hijack dozens of phones, the company said late Monday. The Financial Times identified the actor as Israel's NSO Group, and WhatsApp all but confirmed the identification, describing hackers as "a private company that has been known to work with governments to deliver spyware." A rep for the Facebook subsidiary said the malware was able to penetrate phones through missed calls alone via the app's voice calling function. The flaw was discovered in May while "our team was putting some additional security enhancements to our voice calls," he said; engineers found that people targeted for infection "might get one or two calls from a number that is not familiar to them. In the process of calling, this code gets shipped."
An unknown number of people—an amount in the dozens at least—were infected with the malware. John Scott-Railton, a researcher with the internet watchdog Citizen Lab, called the hack "a very scary vulnerability" in comments to the AP. "There's nothing a user could have done here, short of not having the app," he said. WhatsApp, which has more than 1.5 billion users, quickly fixed the issue and pushed out a patch. The revelation adds to the questions over the reach of NSO's powerful spyware, which can effectively turn cell phone cameras into pocket-sized surveillance devices. NSO's spyware has repeatedly been deployed to hack journalists, lawyers, human rights defenders, and dissidents. Most notably, the spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi.
(More
WhatsApp stories.)