WhatsApp confirms cyber surveillance attack

A vulnerability in the messaging app has allowed hackers to install surveillance software on phones and other devices.

In early May, it was discovered by WhatsApp’s security team, that attackers were able to install surveillance software on both iPhones and Android phones by ringing a target’s device. Even if the call was not picked up, the malicious software could immediately be installed, and often the call disappeared from the call logs.

The attack was developed by the Israeli company NSO Group. WhatsApp disclosed that the attack targeted a “select number” of users. Although it is too early in the investigations to state a definite number on how many phones were targeted.

NSO’s flagship product is Pegasus, a program that has the ability to collect intimate and sensitive data from a target device, including obtaining data through the microphone and camera, and collecting location data.

Danna Ingleton, deputy programme director for Amnesty Tech said:

“They’re able to infect your phone without you actually taking an action.”

WhatsApp disclosed the attack to the US Department of Justice last week, and began rolling out a fix to its servers on Friday last week, and on Monday customers were issued a patch.

WhatsApp said:

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.

“We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”

NSO responded:

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”

“NSO would not, or could not, use its technology in its own right to target any person or organisation.”

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/