JERUSALEM • Facebook-owned WhatsApp said yesterday that a security breach on its messaging app had signs of coming from a private company working on surveillance and that it had referred the incident to the United States Department of Justice.
The app, one of the most popular messaging tools, is used by 1.5 billion people monthly, and WhatsApp has touted its high level of security and privacy, with messages on its platform being encrypted end to end so that WhatsApp and third parties cannot read or listen to them.
WhatsApp said the attack was sophisticated and had all the hallmarks of a "private company working with governments on surveillance".
"WhatsApp encourages people to upgrade to the latest version of our app as well as to keep their mobile operating system up to date to protect against potential targeted exploits designed to compromise information stored on mobile devices," said a spokesman.
"We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users."
WhatsApp did not elaborate further.
It informed its lead regulator in the European Union - Ireland's Data Protection Commission (DPC) - of a "serious security vulnerability" on its platform.
"WhatsApp is still investigating as to whether any WhatsApp EU user data has been affected as a result of this incident," said the DPC, adding that WhatsApp informed it of the incident late on Monday.
Cyber-security experts said the vast majority of users were unlikely to have been affected. Mr Scott Storey, a senior lecturer in cyber security at Sheffield Hallam University, believes most WhatsApp users were not affected because this appeared to be governments targeting specific people, mainly human rights campaigners.
"For the average end user, it is not something to really worry about," he said, adding that WhatsApp found the vulnerability and fixed it quickly. "This isn't someone trying to steal private messages or personal details."
Earlier, the Financial Times reported that a vulnerability in WhatsApp allowed attackers to inject spyware on phones by ringing up targets using the app's phone call function. It said the spyware was developed by Israeli cyber-surveillance firm NSO Group - best known for its mobile surveillance tools - and affects both Android phones and iPhones.