JERUSALEM (Reuters) - Facebook's WhatsApp on Tuesday urged users to upgrade to the latest version of its popular messaging app after acknowledging a report that users could be vulnerable to having malicious spyware installed on phones without their knowledge.
The messaging service posted a vulnerability report on Facebook that described "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number."
The flaw means that if a user accepts a call from an attacker, spyware will load onto their iOS, Android, Windows Phone or Tizen devices.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," a spokesman said.
"We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users."
News of the flaw emerged in The Financial Times, which on Monday reported that a vulnerability in WhatsApp allowed attackers to inject spyware on phones by ringing up targets using the app's phone call function. It said the spyware was developed by Israeli cyber surveillance company NSO Group.
Asked about the report, NSO said its technology is licensed to authorised government agencies "for the sole purpose of fighting crime and terror," and that it does not operate the system itself.
"We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies," the company said.
"NSO would not or could not use its technology in its own right to target any person or organization, including this individual."
The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15. The fix is simple: update the app.
(Reporting by Steven Scheer, Ari Rabinovitch and Tamara Mathias, editing by Louise Heavens)