A cybersecurity breach in Facebook’s messaging app WhatsApp left users unknowingly vulnerable to malicious spyware installed on their smartphones, WhatsApp admitted Monday.
The security vulnerability affects both iPhone and Android devices, and WhatsApp is urging users to update their apps as soon as possible.
WhatsApp, which is used by over 1.5 billion people, confirmed the vulnerability in a statement, but didn’t name the perpetrator.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the company said in a statement .
“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”
Facebook issued a security advisory confirming the vulnerability on Monday that outlines which versions of WhatsApp where affected.
The Financial Times reported that a loophole in WhatsApp allowed attackers to inject spyware on smartphones by calling targets using the app. The malicious code could be transmitted whether the user answered the call or not.
The Financial Times said the spyware was developed by Israeli cyber surveillance company NSO Group.
An NSO spokesperson told USA TODAY that the company’s technology is “licensed to authorized government agencies for the sole purpose of fighting crime and terror.”
“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system,” NSO said in a statement.
WhatsApp says the cyber threat was first discovered earlier this month and had been used to target a “select number” of users. The messaging company said it briefed human rights organizations on the discovery and notified U.S. law enforcement to help them conduct an investigation.