In a statement, the company said that the vulnerability in WhatsApp’s Voice over IP (VOIP) allowed for remote code to be executed sent to a target phone number.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” it said.
The Financial Times – which first reported on the security flaw – said that the vulnerability allows spyware to be injected into a user’s phone by an outside attacker.
Attackers could send the malicious code to a target’s device by calling the user – infecting the phone irrespective of whether or not the recipient answered the call.
Once installed, the software can reportedly turn on a phone’s camera and mic, scan emails and messages, and collect the user’s location data.
Logs of the incoming calls were often erased, meaning there was no trace of the call taking place.
The spyware is believed to have been developed by the Israeli cyber intelligence company NSO Group.