On Monday, WhatsApp urged all of its 1.5 billion users to update their apps after concerns were raised hackers could inject surveillance software on to phones via the call function.
The app discovered a vulnerability that allowed attackers to install malicious code on iPhones and Android phones by ringing up a target device.
The code could be transmitted even if users did not answer their phones and a log of the call often disappeared, according to reports.
The attack was developed by Israeli security firm NSO Group, according to a report in the Financial Times.
The problem was first discovered earlier in May.
The company, which is owned by Facebook, said the attack bore a resemblance to spyware developed for intelligence agencies.
WhatsApp promotes itself as a “secure” communications app because messages are end-to-end encrypted, meaning they should only be displayed in a legible form on the sender or recipient’s device.
However, the surveillance software would have let an attacker read the messages on the target’s device.
“Journalists, lawyers, activists and human rights defenders” are most likely to have been targeted, said Ahmed Zidan from the non-profit Committee to Protect Journalists.
It involved attackers using WhatsApp’s voice calling function to ring a target’s device. Even if the call was not picked up, the surveillance software would be installed, and, the FT reported, the call would often disappear from the device’s call log.
WhatsApp told the BBC its security team was the first to identify the flaw, and shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” the company said on Monday in a briefing document note for journalists.
The NSO Group is part-owned by the London-based private equity firm Novalpina Capital, which acquired a stake in February.
NSO’s flagship software, Pegasus, has the ability to collect intimate data from a target device, including capturing data through the microphone and camera, and gathering location data.
Amnesty International – which said it had been targeted by tools created by the NSO Group in the past – said this attack was one human rights groups had long feared was possible.
“They’re able to infect your phone without you actually taking an action,” said Danna Ingleton, deputy programme director for Amnesty Tech. She said there was mounting evidence that the tools were being used by regimes to keep prominent activists and journalists under surveillance.
“There needs to be some accountability for this, it can’t just continue to be a wild west, secretive industry.”
On Tuesday, a Tel Aviv court will hear a petition led by Amnesty International that calls for Israel’s Ministry of Defence to revoke the NSO Group’s licence to export its products.