A security flaw in instant messaging platform WhatsApp allows a spyware to be injected into users’ phones, The Guardian reported on Tuesday. The spyware was developed by Israeli cyber intelligence company NSO Group, according to Financial Times, which first reported the vulnerability in the app.

WhatsApp, a subsidiary of social media giant Facebook, has asked users to upgrade to the latest version of the app. “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system upto date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a company spokesperson told CNBC on Monday. “We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”

The spyware attacks phones through missed calls in the app’s voice calling function, Al Jazeera quoted a WhatsApp spokesperson as saying. The spokesperson said the malware had infected an unknown number of mobile phones.

The company said it discovered the security flaw earlier this month while “putting some additional security enhancements to our voice calls”. Its engineers found that the people being targetted might get one or two calls from an unfamiliar number. “In the process of calling, this code gets shipped,” the spokesperson added. The spyware targeted iPhones, phones operating Google’s Android system, Microsoft Windows phones and Samsung’s Tizen system.

The problem was fixed and an update was published on Monday, according to The Guardian. “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp said, according to Financial Times. “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”

The Israeli company, NSO Group, said it was investigating the matter. According to Financial Times, the vulnerability was used in an attempted attack on the phone of a lawyer in the United Kingdom on May 12. The lawyer, who was not identified, is involved in a lawsuit against NSO brought by a group of Mexican journalists, government critics and a Saudi Arabian dissident.