The vulnerability - fixed in the latest WhatsApp update - allowed hackers to insert malicious software on phones by calling the target using the app,
Facebook's WhatsApp on Tuesday urged users to upgrade to the latest version of its popular messaging app following a report that users could be vulnerable to having malicious spyware installed on phones without their knowledge.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," a spokesman said.
The vulnerability - first reported by the Financial Times, and fixed in the latest WhatsApp update - allowed hackers to insert malicious software on phones by calling the target using the app, which is used by 1.5 billion people around the world.
The FT cited a spyware dealer as saying the tool was developed by an Israel-based firm called the NSO Group, which has been accused of helping governments from the Middle East to Mexico snoop on activists and journalists.
Asked about the report, NSO said its technology is licensed to authorised government agencies "for the sole purpose of fighting crime and terror," and that it does not operate the system itself.
"We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies," the company said.
"NSO would not or could not use its technology in its own right to target any person or organisation, including this individual."
The latest exploit - which impacts Android devices and Apple's iPhones, among others - was discovered earlier this month and WhatsApp scrambled to fix it, rolling out an update in less than 10 days.
WhatsApp did not comment on the number of users affected or who targeted them, and said it had reported the matter to US authorities.
The breach is the latest in a series of issues troubling WhatsApp's parent Facebook, which has faced intense criticism for allowing its users' data to be harvested by research companies and over its slow response to Russia using the platform as a means to spread disinformation during the 2016 US election campaign.
Highly invasive software
The WhatsApp spyware is sophisticated and "would be available to only advanced and highly motivated actors", the company said, adding that a "select number of users were targeted".
"This attack has all the hallmarks of a private company that works with a number of governments around the world" according to initial investigations, it added, but did not name the firm.
WhatsApp has briefed human rights organisations on the matter, but did not identify them.
The Citizen Lab, a research group at the University of Toronto, said in a tweet it believed an attacker tried to target a human rights lawyer as recently as Sunday using this flaw, but was blocked by WhatsApp.