Facebook’s instant messaging app WhatsApp has been hit with a security breach, which leaves users vulnerable to malicious spyware being installed on their phones.

The company said it discovered the breach this month and informed the US Department of Justice last week, as well as its lead regulator in the EU, Ireland’s Data Protection Commission.

A Facebook spokesperson urged users to upgrade to the latest version of the app and keep their operating system up to date, as a way to protect against threats designed to compromise information stored on mobile devices.

“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users,” the spokesperson told Reuters.

The Financial Times (FT) provided details on the breach, reporting attackers were able to inject commercial Israeli spyware on both iPhones and Android powered smartphones by ringing users and targeting the app’s call function.

FT said the code was developed by Israeli company NSO Group, and could violate devices even if users did not answer their phones. Often, the calls would disappear from call logs.

WhatsApp, which is still investigating the issue, said it was too early to reveal exactly how many users had been affected, an FT source added.

NSO’s products and technology are designed for intelligence agencies in the west and Middle East, with its flagship Pegasus programme intended to fight crime and terrorism. The programme can turn on a phone’s microphone and camera, as well as access emails, messages and location data. NSO told the FT it carefully vetted customers and investigated any abuse, adding it was looking into the WhatsApp hack.