WhatsApp is urging users to upgrade to the latest version to guard against a malicious spyware attack.
1.5 billion people use the messaging service, which is owned by Facebook.
Its high levels of security and privacy are partly why.
Now the Financial Times reports that a vulnerability in WhatsApp allowed attackers to inject spyware on phones just by ringing up targets through the app's call function.
It worked even if they didn't pick up.
The spyware was reportedly developed by an Israeli cyber security firm, the NSO Group.
WhatsApp said it targeted a "select number of users." Hackers remotely installed surveillance software that would let them read their target's messages.
Rights group Amnesty International says regimes are using NSO's spyware to watch prominent activists and journalists.
It says one of its staffers was targeted by NSO's Pegasus software -- which if successful would have taken control of the phone's cameras and microphone, and monitored keystrokes and contact lists.
Amnesty petitioned a Tel Aviv court Tuesday (May 14) to revoke the NSO Group's export license.