WhatsApp, which is part of Facebook, said it had notified the U.S. Department of Justice to help with an investigation, and encouraged all WhatsApp users to update to the latest version of the app, where the breach had been fixed.
WhatsApp, one of the most popular messaging tools in the world, is used by 1.5 billion people monthly.
It has touted its high level of security and privacy, with messages on its platform being encrypted end to end so that WhatsApp and third parties cannot read or listen to them.
The company said it was still investigating the breach, however, believed only a “select number of users was targeted through this vulnerability by an advanced cyber actor.”
However, its advice to all users to update came “out of an abundance of caution” and a recommendation by Citizen Lab, a research group at the University of Toronto.
It did not disclose how many users were affected.
A WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance.”
WhatsApp said it was “deeply concerned about the abuse” of such surveillance technologies and that it believed human rights activists may have been the targets.
“We’re working with human rights groups on learning as much as we can about who may have been impacted from their community.
“That’s really where our highest concern is,” the spokesman said.
Citizen Lab tweeted: “We believe an attacker tried to exploit it as recently as yesterday to target a human rights lawyer and was blocked by WhatsApp.”
Ireland’s Data Protection Commission (DPC), WhatsApp’s lead regulator in the European Union, said WhatsApp had notified the agency on Monday of a “serious security vulnerability” on its platform.
“The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorised software and gain access to personal data on devices which have WhatsApp installed,” the regulator said.
Cyber security experts said the vast majority of users were unlikely to have been affected.
Scott Storey, a senior lecturer in cyber security at Sheffield Hallam University, believes most WhatsApp users were not affected since this appears to be governments targeting specific people, mainly human rights campaigners.
“For the average end user, it’s not something to really worry about,” Storey said.
He added that WhatsApp found the vulnerability and quickly fixed it.
“This isn’t someone trying to steal private messages or personal details,’’ he stressed.
Storey said that disclosing vulnerabilities was a good thing and likely would lead to other services looking at their security.
The Financial Times (FT) initially reported on the WhatsApp vulnerability that allowed attackers to inject spyware on phones via the app’s phone call function.
The FT said the spyware was developed by Israeli cyber surveillance company NSO Group, best known for its mobile surveillance tools and affects both Android and iPhones.
NSO when asked about the report, said its technology is licensed to authorised government agencies “for the sole purpose of fighting crime and terror,” and that it does not operate the system itself while having a rigorous licensing and vetting process.
“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said.
Social media group Facebook bought WhatsApp in 2014 for 19 billion dollars.
Facebook co-founder Chris Hughes recently wrote in The New York Times that fellow co-founder Mark Zuckerberg had far too much influence by controlling Facebook, Instagram and WhatsApp, three core communications platforms, and called for the company to be broken up.
Facebook’s shares were down about 1.1 per cent in New York.