WhatsApp voice calls used to inject Israeli spyware on phones
Ukraine reports 5,276 new COVID-19 cases Zelensky: Every third Ukrainian considers road construction one of greatest achievements of 2021 Ukraine ready to implement Minsk agreements, but Russia's desire needed - Yermak Michel: EU unanimously agree to roll over economic sanctions against Russia Actions by Ukraine's partners will help prevent worst-case scenario - Zelensky COVID-19 in Ukraine: Health officials confirm 8,899 daily cases as of Dec 17 Macron tells Zelensky he declared support for Ukraine in call with Putin Zelensky, Scholz discuss gas transit through Ukraine after 2024 Ukraine ready for any format of talks with Russia - Zelensky Ukraine’s only journalist in Russia facing extremism charges - lawyer PM Shmyhal: First two applications for investment projects worth $96 million filed Zelensky, PM of Italy discuss security situation around Ukraine President signs off State Budget 2022 London considering all options for responding to Russia's aggression against Ukraine Putin, Biden to hold another round of talks Some 260,000 Ukrainians “victims of human trafficking” over 30 years - prosecutor general Ukraine plans to create center to protect energy infrastructure from cyber attacks No clear idea so far when Normandy Four top diplomats set to meet - German Ambassador Ukraine receives EUR 600M in macro-financial assistance from EU Zelensky holds phone conversation with PM of Israel Ukraine sets new daily COVID vaccination record MFA: European Union has not yet removed Ukraine from list of safe countries Kyiv records 1,023 new COVID-19 cases, 29 deaths G7 ambassadors welcome adoption of law on NABU status Ukraine can increase Covid vaccination rates to 1.5M a week – Liashko

A vulnerability in the messaging app WhatsApp has allowed attackers to inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said.

WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. 

The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack.

WhatsApp, which is owned by Facebook, is too early into its own investigations of the vulnerability to estimate how many phones were targeted using this method, said a person familiar with the issue.

As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-based human rights lawyer’s phone was targeted using the same method. 

Researchers at the University of Toronto’s Citizen Lab said they believed that the spyware attack on Sunday was linked to the same vulnerability that WhatsApp was trying to patch.

NSO’s flagship product is Pegasus, a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data.

NSO advertises its products to Middle Eastern and western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime. NSO was recently valued at $1bn in a leveraged buyout that involved the UK private equity fund Novalpina Capital.

In the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones.

WhatsApp said teams of engineers had worked around the clock in San Francisco and London to close the vulnerability. It began rolling out a fix to its servers on Friday last week, WhatsApp said. All users should update to the latest version of WhatsApp, which was issued on Monday, the company said.

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said. “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”

WhatsApp disclosed the issue to the US Department of Justice last week, according to a person familiar with the matter. A justice department spokesman declined to comment.

NSO said it had carefully vetted customers and investigated any abuse. Asked about the WhatsApp attacks, NSO said it was investigating the issue.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said. “NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer].”

The UK lawyer, who declined to be identified, has helped a group of Mexican journalists and government critics and a Saudi dissident living in Canada sue NSO in Israel, alleging that the company shares liability for any abuse of its software by clients.

John Scott-Railton, a senior researcher at Citizen Lab, said the attack had failed. “We had a strong suspicion that the person’s phone was being targeted, so we observed the suspected attack, and confirmed that it did not result in infection,” said Mr Scott-Railton. “We believe that the measures that WhatsApp put in place in the last several days prevented the attacks from being successful.”

Other lawyers working on the cases have been approached by people pretending to be potential clients or donors, who then try and obtain information about the ongoing lawsuits, the Associated Press reported in February.

“It’s upsetting but not surprising that my team has been targeted with the very technology that we are raising concerns about in our lawsuits,” said Alaa Mahajne, a Jerusalem-based lawyer who is handling lawsuits from the Mexican and Saudi citizens. “This desperate reaction to hamper our work and silence us itself shows how urgent the lawsuits are, as we can see that the abuses are continuing.”

On Tuesday, NSO will also face a legal challenge to its ability to export its software, which is regulated by the Israeli ministry of defence.

Amnesty International, which identified an attempt to hack into the phone of one its researchers, is backing a group of Israeli citizens and civil rights group in a filing in Tel Aviv asking the defence ministry to cancel NSO’s export licence. 

“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” said Danna Ingleton, deputy director of Amnesty Tech.

“The Israeli Ministry of Defence has ignored mounting evidence linking NSO Group to attacks on human rights defenders. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.”