Due to a security flaw, hackers can take over your phone by simply calling it, whether or not you answer. The spyware can access data on the phone, as well as activate the phone’s camera and microphone.
In a statement, the parent company Facebook said sophisticated spyware "would be available to only advanced and highly motivated actors," adding that a "select number of users were targeted."
"This attack has all the hallmarks of a private company that works with a number of governments around the world" according to initial investigations, it added, but did not name the firm.
A tool called Pegasus
According to the Financial Times, Israeli cyber intelligence company NSO Group developed the spyware. It's best-known product to date is called Pegasus.
The group came to prominence in 2016 when researchers accused it of helping spy on an activist in the United Arab Emirates.
There is concern for activists, lawyers and journalists who rely on these encrypted applications, when speaking with sources about sensitive information.
Amnesty International said meanwhile it would join a legal action in Israel by some 30 activists to revoke NSO's export license, claiming that one of its own staff members was targeted by a "particularly invasive" variant of the software.
However, the firm defended itself on Tuesday, saying it only licenses its software to governments for "fighting crime and terror."
More pressure on Facebook
The latest scam, which impacts Android devices and Apple's iPhones, among others, was discovered earlier this month and WhatsApp scrambled to fix it, rolling out an update in less than 10 days.
Facebook did not comment on the number of users affected or who targeted them, and said it had reported the matter to US authorities.
It also informed EU authorities in Ireland about the "serious security vulnerability," according to a statement by the country's Data Protection Commission (DPC).
The revelation is the latest in a series of issues troubling Facebook, which has faced intense criticism for allowing users' data to be harvested by research companies and over its slow response to Russia using the platform as a means to spread disinformation during the 2016 US election campaign.