WhatsApp tells users to update app after finding flaw that allows commercial-grade spying

SINGAPORE - A flaw on popular messaging app WhatsApp has allowed hackers to remotely install surveillance software on phones via its voice call function, potentially affecting all of its 1.5 billion users worldwide.

In a statement on Monday (May 13), Facebook-owned WhatsApp urged all users to update to the latest version of the app that contains the patch by going to the Google Play Store or Apple App Store.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the statement said.

The tech giant believes that the flaw affected only a “select number” of targeted users as the spyware that was detected as having been installed was commercial-grade and typically sold to nation-states.

The spyware in question is Israel-based NSO Group’s Pegasus, typically licensed to government agencies.

Hackers could use the security flaw to insert spyware and steal data from an Android phone or an iPhone by placing a WhatsApp call – even if the call is not picked up.

The New York Times reported that the spyware was used to break into the phone of a London lawyer that had been involved in lawsuits accusing NSO Group of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists.

WhatsApp said it took less than 10 days after discovering the flaw in early May to make the required changes to its infrastructure. A WhatsApp app update went out last Friday (May 10) to correct the flaw.

WhatsApp engineers who examined the vulnerability concluded that the spyware in question is similar to other tools from the NSO Group.


In response, NSO Group reportedly said its technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror.

NSO also said it does not operate Pegasus, and that intelligence and law enforcement agencies determine how to use the technology to support their public safety missions.

“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system,” according to NSO Group.