End-to-end encrypted messaging app WhatsApp has experienced the worst security bug in its 10 years of service. The vulnerability, which allows the installation of third-party spyware, grants hackers full access to a phone remotely.

Once the surveillance software has been successfully installed, the attacker is able to read the victim’s messages, see their contacts, and switch on the device’s camera.

WhatsApp’s owner Facebook said that the spyware was spread by an “advanced cyber actor” and confirmed that the update, which is available for all major platforms, fixes the bug.

The attack worked by using WhatsApp’s voice calling feature to ring a device. Even if users didn’t answer the call, the spyware would be transmitted to the device.

According to WhatsApp, a “select number” users have fallen victim to the attacks and all versions of the app but the latest are affected by the bug. The company is urging its 1.5 billion users to update their apps immediately.

The newest version for iOS is 2.19.51 and Android users must ensure that they are running version 2.19.134 or later.

However, WhatsApp made no mention of the security flaw in the release notes for the new version of the app, which only noted that it’s now “easier to start group voice and video calls” on Android and announced full-sized stickers for iOS.

According to a WhatsApp spokesperson, the team discovered the flaw in early May while “putting some additional security enhancements to [its] voice calls.”

“We are deeply concerned about the abuse of such capabilities,” the tech giant said in a statement.

It appears that the technology behind the attack was developed by Israeli cyber intelligence company NSO Group, which is said to sell surveillance software to intelligence agencies and nation states.

The Financial Times, which broke the news, said that the bug was used in an attempted attack on the phone of a UK-based attorney who is currently involved in a lawsuit against NSO.

However, a spokesperson for NSO denied the allegations that it was planting the spyware: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”

Just a couple of weeks ago Facebook announced that it would be adding end-to-end encryption to its Facebook Messenger app in an effort to “focus on privacy first.”