WhatsApp users must update to the latest version of the app to avoid be infected by malicious software.
A security flaw in the popular messaging client allows the Pegasus spyware to be installed on your smartphone. WhatsApp is investigating the situation and urges its 1.5 billion users to update.
The vulnerability affects users on both Android and iOS, and it is exploited via a WhatsApp voice call. You don’t even need to answer the phone for the spyware to be installed without a trace.
Once your handset is infected, attackers can access your phone’s camera and microphones. They can also read your emails and messages, collect your location data, and more.
WhatsApp warns against spyware attack
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the service said in a statement on Tuesday.
The vulnerability in WhatsApp was uncovered earlier this month. It was used as recently as Sunday to attack a human rights lawyer in the U.K. with the Pegasus program — a commercial spyware tool developed by Israeli company NSO.
Pegasus was built for government and law enforcement agencies and designed to fight terrorism. But after making its way into the wrong hands, it has also been used to attack innocent individuals.
NSO software is huge
Researches at Citizen Lab estimate that NSO tools have been used by at least 45 countries — including the U.S. and the U.K. — to spy on civilians. Some have used the software to persecute lawyers, journalists, anti-corruption advocates, and more.
NSO software was used in 2016 to target award-winning UAE activist Ahmed Mansoor. The link Mansoor received by SMS was designed to take advantage of three zero-day vulnerabilities in the iPhone before they were quickly patched by Apple.
Sunday’s attack “has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” Facebook told The Financial Times. “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
The NSO denies any links to the attack and insists that “under no circumstances” would it be involved in “the operating or identifying of targets of its technology.”
Update WhatsApp today
Sunday’s attack was blocked by WhatsApp, but it’s not known how many attacks have slipped through the net — or how many handsets may have been compromised.
To prevent your own handset from being attacked, ensure you have updated to the latest version of WhatsApp. You should also install any available updates for Android and iOS.