Spyware crafted by a sophisticated group of hackers-for-hire took advantage of a flaw in the popular WhatsApp communications program to remotely hijack dozens of phones, the company said late Monday.

The hackers, were described as “a private company that has been known to work with governments to deliver spyware.” The malware was able to penetrate phones through missed calls alone via the app’s voice calling function, the spokesman said. An unknown number of people were infected with the malware, which the company discovered in early May, said the spokesman, who was not authorised to be quoted by name.

WhatsApp discovers spyware – infected with a call alone

John Scott-Railton, a researcher with the internet watchdog Citizen Lab, called the hack “a very scary vulnerability.” “There’s nothing a user could have done here, short of not having the app,” he said.

The spokesman said the flaw was discovered while “our team was putting some additional security enhancements to our voice calls” and that engineers found that people targeted “might get one or two calls from a number that is not familiar to them. In the process of calling, this code gets shipped.”

The revelation adds to the questions over the reach of the Israeli company’s powerful spyware, which takes advantage of digital flaws to hijack smartphones, control their cameras and effectively turn them into pocket-sized surveillance devices.

NSO’s spyware has repeatedly been found deployed to hack journalists, lawyers, human rights defenders and dissidents. Most notably, the spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul last year and whose body has never been found.