Facebook has had a tough time since the revelations of the Cambridge Analytica data harvesting case came out last year. At the F8 conference this year, the chief executive Mark Zuckerberg promised to execute a "re-plumbing" job to make Facebook and its sister platforms – including WhatsApp and Instagram – more private and secure. But, it looks like the company's problems, as well as its users', might not be ending anytime soon. In a shocking revelation, we have learned that a vulnerability in the WhatsApp messenger may have allowed hackers to install spyware on users' smartphones to snoop on so-called end-to-end encrypted chats.

Financial Times (paywall) reports that a vulnerability in WhatsApp voice calling feature allowed attackers to remotely execute a code that would install spyware on any iPhone or Android smartphone. This could be accomplished even if the targets did not pick up the call. A WhatsApp spokesperson said that the security team has patched the issue but insists users update their apps at the soonest possible.

The publication alleges although the creator of this exploit is unclear, it resembles other products by Israeli company NSO Group, which has been previously accused of providing spyware to wiretap the conversations of human right activist and journalists. NSO Group is infamous as the creator of a powerful tool called Pegasus, which can be used by intelligence agencies worldwide to eavesdrop on suspects. It was also alleged to have helped the Saudi government track the conversations of opposers of the autocratic regime and dissidents and the list of targets includes the slain Wall Street Journal reporter Jamal Khashoggi. The company claims that its products are sold to government agencies for fighting against terrorism and is been facing multiple lawsuits on grounds of illegal hacking.

Earlier this month, when WhatsApp's engineers were trying to fix the vulnerability, the came across unusual voice calling activity, which is when they grew wary of the gravity of this situation. This was reportedly an attack used to target a London-based human rights lawyer involved in lawsuits against NSO Group. The lawyer, whose name was not shared, was representing individuals including a bunch of activists, journalists, and dissidents whose smartphones have previously been sabotaged by NSO's Pegasus.

Besides releasing a fix for the vulnerability on Monday, WhatsApp also alerted the U.S. Justice Department about the possibility that similar tools could be in use for targeting users in the country.

Via: Ars Technica

Update: WhatsApp sues NSO Group

In a blog post, WhatsApp noted that it has informed approximately 1,400 through a "personal message." The Facebook-owned messaging giant has also sued the Israeli start-up NSO Group in a U.S. District Court for selling commercial spyware to governments and law enforcement agencies.

WhatsApp said in the blog post, "We believe this attack targeted at least 100 members of civil society, which is an unmistakable pattern of abuse. This number may grow higher as more victims come forward."

NSO Group refuted these claims and told the BBC, "In the strongest possible terms, we dispute today's allegations and will vigorously fight them."