The hackers could implant malicious code on a victim’s phone by placing a voice call to the victim on WhatsApp.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” a WhatsApp spokesperson said in a statement.
In a statement provided to CNN on Monday, NSO said, “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”
NSO said its technology was licensed to government agencies “for the sole purpose of fighting crime and terror,” adding that those agencies determine how the technology is used without any involvement from the company.
Among those believe to have been targeted via WhatsApp is a London-based human rights lawyer.
On Sunday, the lawyer received two calls that John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab believes were part of the attack. Citizen Lab is an academic security research group that investigates digital threats to civil society groups and online freedom of expression.
The apparent attempt to breach the lawyer’s phone was not successful, Scott-Railton said, as WhatsApp had patched the vulnerability by Sunday.
WhatsApp had reached out to Citizen Lab and a number of other groups that work with human rights defenders before publicly acknowledging the attack.
The collaboration between WhatsApp and Citizen Lab helped identify the attempted attack on the London-based lawyer. The lawyer does not want to be named, Scott-Railton told CNN.
Responding specifically to the apparent targeting of the lawyer, NSO Group said in a statement, “NSO would not or could not use its technology in its own right to target any person or organization, including this individual.”
WhatsApp said while it has fixed the vulnerability the attackers were exploiting, it is also encouraging users to update to the latest version of the WhatsApp app “out of an abundance of caution.” The company said it has also contacted US law enforcement.
Scott-Railton praised WhatsApp for reaching out to human rights groups to identify the attack, adding, “It’s creepy to think that someone with an unknown number could give you a call and your device would be compromised.”