The messaging service, which is owned by Facebook, said it believes ‘a select number of users’ were targeted by an ‘advanced cyber actor’, Sky News reported.
It is unclear how many devices were affected, but a WhatsApp spokesperson said a number in the dozens would not be inaccurate.
The company discovered the breach in early May and has informed a number of human rights organizations.
WhatsApp said it has since fixed the vulnerability and is urging people to upgrade to the latest version of the app.
It has not been confirmed who carried out the attack, but it was said to have hallmarks of a private company that works with governments to deliver spyware.
The Financial Times has reported the spyware was developed by NSO Group, an Israeli cybersecurity and intelligence company.
The NSO Group rejected the paper’s allegation.
The technology would allow it take over the functions of mobile phone operating systems.
WhatsApp said it is ‘deeply concerned’ about the abuse of such capabilities, and has briefed a number of human rights organizations.
The vulnerability in the app allowed it to be infected with spyware with a missed in-app call function.
The company has provided information to US law enforcement to help them conduct an investigation.
A WhatsApp spokesperson said, "WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.
"We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users."
Danna Ingleton, deputy director of Amnesty International Tech, tweeted, "Just to reiterate, this means 'zero click' targeting is actually happening. Now, more than ever, we need some accountability from this company and better Due Diligence processes in the industry."’