Since WhatsApp was acquired by Facebook in 2014, users of the messaging app have long speculated on how secure the platform would be from its new parent company’s data collection practices.
What users may not have expected, however, was that their conversations could potentially be tapped by a third party — another company with the means to create powerful malware that could intercept protected conversations, as reported by the Financial Times on Monday. The report outlines allegations that an Israel-based company was able to successfully install malware that could have been used for surveillance on phone calls made over the app.
WhatsApp confirmed the vulnerability of its app but did not name the perpetrator.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesperson told CNBC in a statement Monday. “We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”
The Financial Times named Israel-based cyersecurity company, NSO Group, for the incident. WhatsApp has already indicated the attack looks as though it was conducted by a private company that works with governments to deliver spyware, and a “select number” of users were targeted.
NSO Group is best known for its reported, though not confirmed, role in assisting the FBI in opening the phone of the San Bernardino mass shooter after Apple fought an FBI request to do so. NSO Group declined to comment.
The claims could raise serious problems for WhatsApp’s reputation, which has been built on the privacy and security of the end-to-end encryption in its very popular texting and voice calling application.
Why it matters
End-to-end encryption means data sent via WhatsApp is scrambled in transit, and only understandable by the party sending it and the party receiving it — whether the data is in the form of texts, pictures or voice conversations. It’s a major selling point for the application.
WhatsApp’s security in transit has made it a popular choice for people wishing to communicate “out of band” — off regular, unencrypted or corporate communications channels — about all manner of personal information, including everything from legal and business matters to personal or political problems.
An unknown party, according to the FT report, sought to decrypt this data in transit using malware, targeting human rights attorneys and using the Israeli firm’s services to do so. WhatsApp reportedly said it had contacted Justice Department authorities.
The investigation is in its early stages, but WhatsApp will have to fight to maintain its reputation among security-minded customers who are worried their data could be compromised not, only by the Israeli company, but by any other individual.