Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp, it has been confirmed.

WhatsApp, which is owned by Facebook, said the attack targeted a "select number" of users, and was orchestrated by "an advanced cyber actor".

A fix was rolled out on Friday.

The attack was developed by Israeli security firm NSO Group, according to a report in the Financial Times.

On Monday WhatsApp urged all of its 1.5bn users to update their apps as an added precaution.

The attack was first discovered earlier this month.

It involved attackers using WhatsApp's voice calling function to ring a target's device. Even if the call was not picked up, the surveillance software would be installed, and, the FT reported, the call would often disappear from the device's call log.

WhatsApp said its security team was the first to identify the flaw, and shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.

"The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” the company said on Monday in a briefing document note for journalists.

The firm also published an advisory to security specialists, in which it described the flaw as: "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

BBC
BDST: 0933 HRS, MAY 14, 2019
RS