WhatsApp users have been warned to update their app immediately after a shock cyber threat was discovered.
The Facebook-owned firm issued a stark warning as the popular service, which is used by over 1.5 billion people, has been targeted by cyber criminals which could allow them to access and monitor your smartphones.
Hackers were able to remotely install surveillance software on devices including iPhone and Android smartphones using a major vulnerability within the platform.
The attack involved cyber hackers using WhatsApp’s voice calling function to ring a device. The surveillance software would then be installed, even if that call was not picked up.
1.5 billion users
On Monday, WhatsApp urged all of its 1.5 billion users to update their apps as an added precaution to protect themselves.
WhatsApp promotes itself as a “secure” communications app because messages are end-to-end encrypted, meaning they should only be displayed in a legible form on the sender or recipient’s device.
A report in the Financial Times revealed that attackers could transmit a malicious code to a victim’s phone by calling the user and infecting the device, even if the call wasn’t answered. Logs of the incoming calls were often erased.
The spyware, developed by the secretive Israeli spyware company NSO Group, has the ability to give hackers full access to a phone remotely, allowing them to read messages, see contacts and activate the camera.
WhatsApp confirmed that a “select number” of users had been victims and that the bug and that the bug affects all but the latest version of the app on iOS and Android.
Upgrade
A spokesperson said: “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.
“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”
The Financial Times also reported that cyber hackers had been using the loophole up until Sunday evening, when it was used to target a UK-based human rights lawyer.
NSO
A spokesman for NSO, which is believed to sell its spyware to intelligence agencies and nation states, said that it was investigating the issue. The spokesman said NSO “would not or could not” use its own technology to target “any person or organisation”, including the UK lawyer.
The vulnerability was also used to target a researcher at Amnesty International, which is fighting for the NSO Group to have its export license withdrawn by Israeli government.
WhatsApp engineers in both the UK and US were working on a fix to the issue around the clock after it came to light and have now issued a patch to the bug.
It began rolling out a fix to its own servers on Friday, blocked attempts to expose the flaw as recently as Sunday and urged users to install an update on Monday.
The vulnerability and suspected attacks were investigated by Citizen Lab, a research group at the University of Toronto, last week.
‘We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer,’ the lab said.
How to update your app
Most apps update automatically but can be done manually.
iOS
Apple users need to open the App Store on their handset and select ‘Updates’ in the bottom row.
Refresh this page by dragging the screen down to ensure all the recent updates are available. All apps installed on the device which have a pending update can be seen here and then simply tap update.
Android
The update process is similar to iOS, but you have to access Google Play Store instead.
Open the Find My Apps and games section and refresh the page.
All available and pending updates will then be present. Select ‘Update’ next to the desired app and it should be automatically updated.