WhatsApp has urged its users to update their apps after concerns were raised hackers could inject surveillance software on to phones via the call function.

The attack was first discovered earlier this month, and a fix was rolled out on Friday (US time).

The attack was developed by Israeli security firm NSO Group, according to a report in the Financial Times.

WhatsApp discovered a vulnerability that allowed attackers to install malicious code on iPhones and Android phones by ringing up a target device, the Daily Mail reported.


The code could be transmitted even if users did not answer their phones and a log of the call often disappeared, according to reports.

WhatsApp told the BBC its security team was the first to identify the flaw, and shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.

"The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems," the company said on Monday in a briefing document note for journalists.

The firm also published an advisory to security specialists, in which it described the flaw as: "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number."

WhatsApp said it was too early to know how many users had been affected by the vulnerability, although it added that suspected attacks were highly-targetted.

An update is now available for all major platforms that fixes the bug, and security experts have urged users to ensure that their phones are up to date as soon as they can.

The release notes for the new version of the app make no mention of the bug or the fix that will be installed. On iOS, they only mentioned stickers, but WhatsApp's owner Facebook confirmed that the latest update fixes the bug.

As such, it is important to check that your phone has the right version, which will show alongside the update. On iOS, it should be version 2.19.51, and on Android it needs to be 2.19.134 or later.


The NSO Group is an Israeli company that has been referred to in the past as a "cyber-arms dealer", the BBC reported.

In a statement, the group said: "NSO's technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror.

"The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.

"Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organisation."