whatsapp, tech, phone

NSO Group tools abused WhatsApp to target human rights defenders with invasive spyware

On 13 May 2019, reports emerged about a security vulnerability in the popular messaging service WhatsApp which was leveraged to spy on the device of a high-risk human rights defender among others.

WhatsApp this afternoon, October 29th, confirmed that the exploit (a software or command that leverages a specific software vulnerability in order to execute some unwanted code on the vulnerable device) was deployed by the Israeli-based surveillance tool vendor NSO Group. The exploit could deliver intrusive spyware on the target’s mobile device without the targeted person having to click on a malicious link. The targeted person would simply see a missed call on WhatsApp.

What you need to know about the WhatsApp vulnerability

  • According to a WhatsApp spokesperson, this vulnerability was abused in targeted attacks against approximately 1400 WhatsApp users up until May 2019.
  • While all WhatsApp users were at risk from this vulnerability, the vast majority of users will not have been targeted. WhatsApp have now notified all those they believe to have been targeted.
  • The exploit was not always reliable. Individuals who were targeted may not have had their devices successfully compromised.
  • WhatsApp blocked this attack in May and released urgent software updates to mitigate the underlying security flaw. All WhatsApp users have been protected from this particular vulnerability since May 2019.
  • Though most WhatsApp users are unlikely to have been targeted by this flaw, it is important that all users ensure their devices and applications including WhatsApp fully updated.

How it worked

  • The security vulnerability in question was in the code that Whatsapp uses to establish a new voice or video call. In order to exploit this, the digital attack initiated WhatsApp calls to the target’s device.
  • Attackers may have tried to exploit this issue by making calls multiple times during the night when the target was likely to be asleep and not notice these calls.
  • Successful infection of the target’s device may result in the app crashing. There is a possibility that the attacker may also remotely erase evidence of these calls from the device’s call logs.
  • Evidence of failed attacks may appear as missed calls from unknown numbers in your WhatsApp call log.

How do I get in touch?

If you are a high-risk user, have received a notification from Whatsapp or have seen other suspicious activity, then contact the Amnesty Tech’s Disrupting Surveillance Team for further support. Take a screenshot of any suspicious call logs or messages and email them to: