The popular instant messaging system WhatsApp—owned by Facebook—has been revealed as an Israeli spyware platform using malicious code from the Jews-only state’s infamous NSO Group, according to a report in the Financial Times.
According to the FT, the security breach in WhatsApp—which is used by 1.5 billion people worldwide—was discovered in May this year. Hackers install surveillance software on iPhones and Android phones by ringing up targets using the app’s phone call function.
“The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs,” the FT reported.
NSO’s flagship product is Pegasus, a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data. NSO advertises its products to Middle Eastern and western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime.
In the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones.
WhatsApp said teams of engineers had worked around the clock in San Francisco and London to close the vulnerability. It began rolling out a fix to its servers on Friday last week, WhatsApp said, and issued a patch for customers on Monday.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said.
WhatsApp disclosed the issue to the US Department of Justice last week, the report continued.
Amnesty International, which identified an attempt to hack into the phone of one its researchers, is backing a group of Israeli citizens and civil rights group in a filing in Tel Aviv asking the defence ministry to cancel NSO’s export licence.
“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” said Danna Ingleton, deputy director of Amnesty Tech.
“The Israeli Ministry of Defence has ignored mounting evidence linking NSO Group to attacks on human rights defenders. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.”
The WhatsApp vulnerability is a buffer overflow weakness, enabling malicious code to be inserted into data packets sent during the process of starting a voice call. When the data is received, WhatsApp’s internal buffer is forced to overflow, overwriting other parts of the app’s memory, and control is given over to the application.