WASHINGTON: WhatsApp said on Tuesday that a security breach on its messaging app had signs of coming from a government using surveillance technology developed by a private company, and it may have targeted human rights groups.
WhatsApp, a unit of Facebook, said it had notified the U.S. Department of Justice to help with an investigation, and it encouraged all WhatsApp users to update to the latest version of the app, where the breach had been fixed.
WhatsApp, one of the world's most popular messaging tools, is used by 1.5 billion people monthly. It has touted its high level of security and privacy, with messages on its platform being encrypted end-to-end so that WhatsApp and third parties cannot read or listen to them.
The company said it was still investigating the breach but believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor."
WhatsApp said its advice to all users to update came "out of an abundance of caution" and a recommendation by Citizen Lab, a research group at the University of Toronto that it notified about the vulnerability before the announcement.
It did not disclose how many users were affected. A technical advisory published on Facebook's security website said the vulnerability affected both Android and iPhones.
A WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a "private company working with governments on surveillance."
The FBI and Justice Department declined to comment.
Human rights lawyer a target
The Financial Times initially reported on the WhatsApp vulnerability that allowed attackers to inject spyware on phones via the app's voice-calling function.
WhatsApp told human rights groups it believed the spyware was developed by Israeli cyber surveillance company NSO Group, best known for its mobile hacking tools, said Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, a San Francisco-based nonprofit.
"They said they believed it was NSO Group, but they also couched it in very careful terms with many caveats, because attribution is hard," she said.
Like Citizen Lab, EFF was among the groups WhatsApp notified several days ago about the vulnerability.
A second person familiar with the matter also identified NSO Group as the suspected culprit.
NSO did not comment on the specific attacks. In a statement sent to Reuters, NSO said it would investigate any "credible allegations of misuse" of its technology.