Getty
WhatsApp has patched a vulnerability that allowed attackers to inject spyware onto people’s phones. This was confirmed by both WhatsApp and a spyware technology dealer to the Financial Times, which broke the news.
Discovered at the start of May, the vulnerability would have allowed adversaries to install surveillance software on phones by calling a user via the app’s phone call function. The attack could be performed even if the person didn’t answer their phone, while the calls would often disappear from logs, according to the spyware dealer.
The malicious code was allegedly developed by Israeli company NSO Group, which aims its products at Middle Eastern and Western intelligence agencies. NSO’s flagship product is dubbed Pegasus: a program that can turn on your phone’s microphone and camera, search emails and messages and collect location data.
Who has been affected?
The app is used by 1.5 billion people across the world – and this vulnerability impacts iOS, Android and Windows Phone users. WhatsApp owner Facebook’s advisory reads: “The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.”
As it stands, Facebook doesn’t know how many phones were targeted. It’s safe to say more will emerge as its investigation continues.
However, the FT reports that as late as Sunday, a UK-based human rights lawyer’s phone was targeted using the same method.
“These types of attacks are rare, but not to be taken lightly,” says Jake Moore, cyber security expert at ESET. “Organizations such as the NSO and cyber-criminal gangs will continually look for vulnerabilities in applications used by the masses to take advantage of them in the chance they will find something to exploit.”
Every user will have had the possibility of being listened to - or even located - via the suspicious phone call, he says, but he adds: “The reality is that only highly targeted people would have been affected and the majority of users will have nothing to worry about.”
It doesn’t seem that any messages have been read which bodes well for WhatsApp’s encryption, says Moore. However, to install location software and listening bugs to the targeted devices is “quite a feat’, he says, adding that this “may have been used a number of times in the wild before detection”.
What is WhatsApp doing?
WhatsApp patched the hole over the weekend. It sent a secured version of the app to users yesterday (13 May).
WhatsApp sent me a statement over email, which read: “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices. We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”
Late last week, WhatsApp made changes to its infrastructure to deny the ability for this attack to take place. It has also provided information to U.S. law enforcement to help it conduct an investigation.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” Facebook told the FT.
The vulnerability
“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number,” Facebook’s advisory reads.
So what does that mean in reality? A buffer overflow occurs when a program attempts to write more data than it is allowed in its allocated area in the memory of the device, says Moore. “A buffer overflow attack is when an adversary writes this extra data to take control or even modify the program bypassing earlier checks.”
What to do
It’s important to make sure your app is updated. It could have been done automatically, but if WhatsApp offers you the option, do it now. If not, update it manually: in general, it’s a good idea to turn on auto updates if you haven’t already.
For the security minded of us who are looking for an alternative app, you can find some suggestions here. Signal is beloved of the security community; it’s just a challenge trying to persuade friends to join up too.
