9 things you need to know about the WhatsApp zero-click spyware attack

Facebook-owned WhatsApp is urging all of its users worldwide to update the app to the latest version of the software after it discovered that the app’s integrity had been compromised. The warning came after the Financial Times revealed that a vulnerability had been discovered that let attackers install spyware on iPhones and Android phones simply by placing a WhatsApp voice call to the user’s smartphone. Here are nine things you need to know about the attack:

1. The spyware was allegedly created by the Israeli cyber surveillance company NSO Group. The secretive group creates spyware it sells to governments and law enforcement agencies around the world that allows them to take almost complete control of a device. Though the spyware was allegedly created by NSO, it’s not sure who the attacker is that is using the spyware to target WhatsApp users.
2. The NSO software, called Pegasus, allows the attacker to extract all of the data on an iPhone or Android phone. This includes texts, emails, location data, contacts, browser history, and more. It also allows the attacker to activate the phone’s microphone and camera.
3. What’s notable about the WhatsApp attack is that it was a “zero-click” or “no click” attack. That means the spyware was able to be installed on a smartphone by the attacker simply placing a WhatsApp voice call to the phone. It does not matter if the call was answered or not–a target did not have to open any message, answer the call, or click on any link. After the call was placed and the spyware installed on the device, the log of the call would be deleted so the phone’s owner may have never seen that a call attempt was made in the first place.
4. Facebook discovered the vulnerability earlier this month and alerted U.S. law enforcement to the attack last week. By last Friday, Facebook had addressed the exploit in WhatsApp on the server-side, which cut off the attacker’s ability to infect phones.
5. Even though the vulnerability was able to be fixed by closing a security hole in WhatsApp’s infrastructure, the company released a WhatsApp update on Monday and is urging all users to upgrade to the latest version of the app out of an abundance of caution.
6. The affected versions of WhatsApp include WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
7. It’s unknown how many WhatsApp users were infected with the spyware. But the FT is reporting that one target of the attack was an unnamed lawyer involved in a lawsuit against NSO that was brought by a group of Mexican journalists and a Saudi Arabian dissident.
8. WhatsApp did not refer to the NSO by name, but upon confirming the attack the company said, “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can and to work with them to notify civil society.”
9. As for the NSO Group, the company told the Financial Times, “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not, or could not, use its technology in its own right to target any person or organization, including this individual.”

Related: The shadowy firm blamed for tracking Jamal Khashoggi launches a Google ad blitz

In summary, the WhatsApp attack shows just how vulnerable our devices are to malicious attacks. The good news is Facebook and WhatsApp seem to think that all attack vectors for this specific attack have been shut down. However, it’s critical that all users of WhatsApp update to the latest version of the software right now to be on the safe side.