WhatsApp Hacked? How to Update App After Spying Malware Discovery

WhatsApp is urging users to download the latest version of the software after reports that a notorious form of malware has been used for phone surveillance.

Both Android and iOS versions of the Facebook-owned app, which is marketed as a secure method of communication to more than 1.5 billion users, were recently targeted by malware created by Israeli spyware outfit NSO Group, the Financial Times reported Monday.

The report sent shockwaves across the cybersecurity community after revealing that the attack was transmitted via voice call—infecting devices even if calls were not answered—and was used to target a U.K.-based human rights lawyer as recently as last Sunday.

The powerful Pegasus malware—typically sold by the company to intelligence agencies—can spy on voice calls and text messages while also recording audio and video from phones.

It is still not clear how many WhatsApp users have been affected, but the company pushed out a patch last Friday and issued the urgent update to its wider user base Monday.

"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," the company said in a statement.

While staying ahead of nation-state hacking threats is extremely difficult, making sure your app is updated is, thankfully, a simple process. On Android, go to the Play Store and tap the "Update" button that appears next to the WhatsApp logo. On iOS, it is the same process, but use the App Store. New software versions contain the newest features and bug fixes, WhatsApp said.

The security loophole that enabled the WhatsApp hack was discovered this month, according to the Financial Times. The problem was reported to the U.S. Department of Justice in the past week.

NSO group
An Israeli woman uses her iPhone in front of the building housing the Israeli NSO group, on August 28, 2016, in Herzliya, near Tel Aviv. JACK GUEZ/AFP/Getty Images

In a statement to the BBC, NSO Group said its spy tools are used for combating "crime and terror"—despite its software having been linked to the surveillance of human rights groups in the past. The company distanced itself from the newly exposed surveillance operation.

"The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system," NSO Group said in its release.

"Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies," it added.

WhatsApp did not reference the company's name in its public response but noted it had "all the hallmarks of a private company known to work with governments to deliver spyware." The cyberattack was likely highly targeted in nature, but the investigation remains ongoing.

In August last year, Amnesty International revealed that one of its staff members had received a booby-trapped WhatsApp message that was linked to NSO spyware infrastructure. This week, the organization said it was supporting a legal case in the District Court of Tel Aviv demanding the export license for NSO Group be revoked by the Israeli Ministry of Defense.

Danna Ingleton, deputy program director of Amnesty's technology division, said in a statement Monday: "NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw."

The group said Pegasus had been tied to surveillance on two dozen human rights campaigners. Those potentially included Jamal Khashoggi, the assassinated Saudi journalist who disappeared after entering the Saudi consulate in Istanbul last October, The New York Times first reported.