- A Financial Times report outlines allegations that an Israel-based company was able to successfully install malware on Facebook's WhatsApp that could have been used for surveillance on phone calls made over the app.
- The encrypted messaging app confirmed its vulnerability to spyware but did not name the perpetrator.
- "WhatsApp encourages people to upgrade to the latest version of our app," the company said in a statement.
What users may not have expected, however, was that their conversations could potentially be tapped by a third party — another company with the means to create powerful malware that could intercept protected conversations, as reported by the Financial Times on Monday. The report outlines allegations that an Israel-based company was able to successfully install malware that could have been used for surveillance on phone calls made over the app.
WhatsApp confirmed the vulnerability of its app, but did not name the perpetrator.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," a spokesperson told CNBC in a statement Monday. "We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users."
The Financial Times named Israel-based cyersecurity company, NSO Group, for the incident. WhatsApp has already indicated the attack looks as though it was conducted by a private company that works with governments to deliver spyware, and a "select number" of users were targeted.
NSO Group is best known for its reported, though not confirmed, role in assisting the FBI in opening the phone of the San Bernardino mass shooter after Apple fought an FBI request to do so.
"NSO's technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions," NSO Group said in a statement. The company emphasized that it does not use the hacking tools itself, and the tools are "solely operated by intelligence and law enforcement agencies."
"We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system," the company said, though it did not clarify whether the WhatsApp issue represented a "misuse" of its tools, but a person familiar with the company said only licensed government intelligence and law enforcement agencies use its tools for "specific terror or criminal threats or investigations."
The claims could raise serious problems for WhatsApp's reputation, which has been built on the privacy and security of the end-to-end encryption in its very popular texting and voice calling application.
End-to-end encryption means data sent via WhatsApp is scrambled in transit, and only understandable by the party sending it and the party receiving it — whether the data is in the form of texts, pictures or voice conversations. It's a major selling point for the application.
WhatsApp's security in transit has made it a popular choice for people wishing to communicate "out of band" — off regular, unencrypted or corporate communications channels — about all manner of personal information, including everything from legal and business matters to personal or political problems.
An unknown party, according to the FT report, sought to acces decrypted data on the devices of targeted individuals using the malware, targeting human rights attorneys and using the NSO Group's tools to do so. The malicious code is designed to target communications databases housed on the devices.
WhatsApp reportedly said it had contacted Justice Department authorities.
The investigation is in its early stages, but WhatsApp will have to fight to maintain its reputation among security-minded customers who are worried their data could be compromised not, only by the Israeli company, but by any other individual.
— CNBC's Saheli Roy Choudhury contributed to this report.
Correction: This article has been updated to correctly reflect that the malware in question accesses data already stored on a customer's device.