In May 2019 we stopped a highly sophisticated cyber attack that exploited our video calling system in order to send malware to the mobile devices of a number of WhatsApp users. The nature of the attack did not require targeted users to answer the calls they received. We quickly added new protections to our systems and issued an update to WhatsApp to help keep people safe. We are now taking additional action, based on what we have learned to date.
We sent a special WhatsApp message to approximately 1,400 users that we have reason to believe were impacted by this attack to directly inform them about what happened. Cyber security experts at the Citizen Lab, an academic research group based at the University of Toronto’s Munk School, volunteered to help us to learn more about the impact of this attack on civil society, including journalists and human rights defenders. The Citizen Lab has published information related to this specific attack here and remains available to provide support to this community.
WhatsApp cares deeply about the privacy and security of our users. Some of your most personal moments are shared on WhatsApp, which is why we provide end-to-end encryption for all messages and calls by default. This attack was developed to access messages after they were decrypted on an infected device, abusing in-app vulnerabilities and the operating systems that power our mobile phones.
We agree with UN Special Rapporteur for Freedom of Expression David Kaye’s call for a moratorium on these attacks. There must be strong legal oversight of cyber weapons like the one used in this attack to ensure they are not used to violate individual rights and freedoms people deserve wherever they are in the world. Human rights groups have documented a disturbing trend that such tools have been used to attack journalists and human rights defenders. Working with research experts at the Citizen Lab, we believe this attack targeted at least 100 members of civil society, which is an unmistakable pattern of abuse. This number may grow higher as more victims come forward. We are committed to doing all we can, working with industry partners, to protect our users and guard against these kinds of threats.
WhatsApp has also filed a complaint in U.S. court that attributes the attack to a spyware company called NSO Group and its parent company Q Cyber Technologies. The complaint alleges they violated both U.S. and California laws as well as the WhatsApp Terms of Service, which prohibits this type of abuse. This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users. In our complaint we explain how NSO carried out this attack, including acknowledgement from an NSO employee that our steps to remediate the attack were effective. We are seeking a permanent injunction banning NSO from using our service.
You can read more about our views published here.
If you received a message from us and have additional questions about this incident, you can message the WhatsApp team directly and securely by opening WhatsApp Settings > Help > Contact Us.