Some WhatsApp users may have had their phones infected with sophisticated spyware through a missed in-app call alone, the company says.
The popular messaging service said “an advanced cyber actor” infected an unknown number of people with the malware, which was discovered in early May.
A WhatsApp spokesman, who would not be further identified, said an amount “in the dozens at least” would not be inaccurate.
The company said it has since quickly resolved the issue and pushed out a patch.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” it said in a statement.
The spyware was able to be transmitted when attackers called a target’s device, irrespective of whether or not they answered the call.
Logs of incoming calls were also erased, according to the Financial Times, which first reported the breach.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company told the Financial Times.
“We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
The Financial Times identified the company as Israel’s NSO Group, whose Pegasus software is known to have been used against human rights activists.
Amnesty International, which has previously reported being targeted by the software, is supporting legal action that would compel the Israeli Ministry of Defence to revoke the export licence of NSO Group due to its “chilling attacks on human rights defenders around the world”.
“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics,” said Danna Ingleton, deputy director of Amnesty Tech.
NSO Group told the Financial Times it was investigating the issue and under no circumstances would it “be involved in the operating or identifying of targets of its technology”, which it said was solely operated by intelligence and law enforcement agencies.