A vulnerability in the messaging app has allowed hackers to install surveillance software on phones and other devices.
In early May, it was discovered by WhatsApp’s security team, that attackers were able to install surveillance software on both iPhones and Android phones by ringing a target’s device. Even if the call was not picked up, the malicious software could immediately be installed, and often the call disappeared from the call logs.
The attack was developed by the Israeli company NSO Group. WhatsApp disclosed that the attack targeted a “select number” of users. Although it is too early in the investigations to state a definite number on how many phones were targeted.
NSO’s flagship product is Pegasus, a program that has the ability to collect intimate and sensitive data from a target device, including obtaining data through the microphone and camera and collecting location data.
Danna Ingleton, deputy programme director for Amnesty Tech said:
“They’re able to infect your phone without you actually taking an action.”
WhatsApp disclosed the attack to the US Department of Justice last week and began rolling out a fix to its servers on Friday last week, and on Monday customers were issued a patch.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.
“We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”
“NSO would not, or could not, use its technology in its own right to target any person or organisation.”
GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/
comments powered by Disqus