Attackers have used a zero-day vulnerability in the popular messaging app WhatsApp to inject Israeli spyware into phones of users through in-app voice calls, the Financial Times, London and The New York Times reported today.

A zero-day vulnerability can be exploited on the same day a weakness is discovered in software, before a fix becomes available from its creator.

The spyware was developed by an Israeli cyber intelligence company, the NSO Group, according to the report. WhatsApp found out in early May this year that attackers were able to install surveillance software on both iPhones and Android phones by making calls to targets on the app. Merely making calls was enough to compromise the end-to-end encryption on WhatsApp, allowing others to eavesdrop on messages and calls, the report stated. WhatsApp is owned by Facebook after a multi-billion dollar acquisition. An update to the app was published May 13 urging users to upgrade to it to get the patch for the vulnerability.

NSO Group’s mobile phone spyware suite is known as Pegasus and it can turn on a phone’s microphone and camera, go through emails and messages and collect location data. It is generally sold to government intelligence agencies in the name of fighting threats such as terrorism.

The malicious code could be transmitted even if a user did not answer WhatsApp calls and, in many cases, the call would disappear from call logs, according to a spyware technology dealer cited by the reports. It appears that many users were targeted and they did not even realize that their security had been breached.

On Sunday, a UK-based human rights lawyer’s phone was targeted using this method. The lawyer has helped Mexican journalists, government critics and a Saudi dissident living in Canada, to sue NSO in Israel, alleging that “the company shares liability for any abuse of its software by clients.”

Eva Galperin, director of cybersecurity at the US-based non-profit, Electronic Frontier Foundation, tweeted a link to Facebook’s publication of a “Common Vulnerabilities and Exposures (CVE) notice” terming the vulnerability used by the NSO group CVE-2019-3568. It described the vulnerability as a “buffer overflow vulnerability in WhatsApp VOIP stack [that] allowed [a] remote code execution via specially crafted series of SRTCP packets sent to a target phone number.” This means that a code vulnerability allowed others to listen in on the voice calls of users who had been infected.

WhatsApp has also alerted US law enforcement about the exploit. A WhatsApp spokesman told the Associated Press the attack had “all the hallmarks of a private company that has been known to work with governments to deliver spyware that has the ability to take over mobile phone operating systems.”

The spokesman said the flaw was discovered while “our team was putting some additional security enhancements to our voice calls” and that engineers found that people targeted for infection “might get one or two calls from a number that is not familiar to them. In the process of calling, this code gets shipped.”

The NSO group’s spyware has previously been implicated in the infamous murder of Saudi journalist Jamal Khashoggi. A Saudi dissident close to Khashoggi filed a lawsuit charging that the NSO group helped the Saudis take over the dissident’s smartphone and spy on his communications with the late journalist.

The lawsuit put pressure on the NSO Group and the Israeli government, which licenses the company’s sales to foreign governments of its spyware called Pegasus. Last year, the Canada-based nonprofit Citizen’s Lab published a report identifying 45 countries in which operators of NSO Group’s Pegasus spyware were in all likelihood conducting operations. The spyware was found to be targeting civil society activists working on human rights abuses.

A Citizen Lab report says: “to monitor a target, a government operator of Pegasus must convince the target to click on a specially crafted exploit link, which, when clicked, delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. Once the phone is exploited and Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.”

Alex Stamos, former head of cybersecurity at Facebook and currently a researcher at Stanford University, tweeted saying, “@citizenlab found that NSO Group registered trademarked domains with the explicit goal of tricking consumers. There have also been reports of NSO Group distributing back-doored applications, which would be both a copyright and trademark violation.”

In another tweet, he added, “Would they win? I really don’t know. We certainly can’t completely shut down the global trade in offensive technologies used against activists and journalists, but we can try to make it unwise to conduct this trade in the open and with US offices.”

The vulnerability also creates a major issue for Facebook, which has been facing severe criticism including calls for the company to be broken up over “monopoly” practices and privacy issues. It was hauled into court in several countries after it was revealed that an app called “Cambridge Analytica” was used to access personal data of users to ascertain voting preferences of Americans before the US Presidential elections. The revelations led to a global uproar and investigations in the US, Europe and Asia.