The messaging service, which is owned by Facebook, said it believes “a select number of users” were targeted by an “advanced cyber actor”.
It is unclear how many devices were affected, but a WhatsApp spokesperson said a number in the dozens would not be inaccurate.
The company discovered the breach in early May.
WhatsApp says it has since fixed the vulnerability and is urging people to upgrade to the latest version of the app.
It has not been confirmed who carried out the attack, but it was said to have hallmarks of a private company that works with governments to deliver spyware.
The technology would allow it take over the functions of mobile phone operating systems.
WhatsApp has said it is “deeply concerned” about the abuse of such capabilities, and has briefed a number of human rights organisations.
The vulnerability in the app allowed it to be infected with spyware with a missed in-app call function.
The company has provided information to US law enforcement to help them conduct an investigation.
A WhatsApp spokesperson said: “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.
“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”