Facebook's WhatsApp on Tuesday urged users to upgrade to the latest version of its popular messaging app following a report that users could be vulnerable to having malicious spyware installed on phones without their knowledge.

"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," a spokesman said.

"We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users."

The Financial Times reported that a vulnerability in WhatsApp allowed attackers to inject spyware on phones by ringing up targets using the app's phone call function. It said the spyware was developed by Israeli cyber surveillance company NSO Group.

Asked about the report, NSO said its technology is licensed to authorised government agencies "for the sole purpose of fighting crime and terror," and that it does not operate the system itself.

"We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies," the company said.

"NSO would not or could not use its technology in its own right to target any person or organisation, including this individual."

Highly invasive software

The WhatsApp spyware is sophisticated and "would be available to only advanced and highly motivated actors", the company said, adding that a "select number of users were targeted".

"This attack has all the hallmarks of a private company that works with a number of governments around the world" according to initial investigations, it added, but did not name the firm.

WhatsApp has briefed human rights organisations on the matter, but did not identify them.

The Citizen Lab, a research group at the University of Toronto, said in a tweet it believed an attacker tried to target a human rights lawyer as recently as Sunday using this flaw, but was blocked by WhatsApp.

The NSO Group came to prominence in 2016 when researchers accused it of helping spy on an activist in the United Arab Emirates. Its best-known product is Pegasus, a highly invasive tool that can reportedly switch on a target's phone camera and microphone, and access data on it.