A vulnerability in WhatsApp’s system has been discovered and is being exploited to inject commercial spyware into both Android and iOS smartphones by just simply calling the user. A London-based human rights lawyer was possibly among the targets.
The Facebook-owned messaging app said on Monday that it had discovered and fixed the vulnerability the attackers had sought to exploit. WhatsApp has urged its users to update its app immediately to close off the security hole.
Spyware Can Collect User’s Personal Data With Just A Single Call
The spyware was developed by Israel’s secretive NSO group, can be installed in the device without a trace. The hackers can insert malicious code on the phone by simply calling the victim on WhatsApp.
And according to security researchers, the spyware can still be installed even if the user has not answered the call. Unfortunately, WhatsApp confirmed to this.
Once installed, the spyware can turn the user’s phone’s camera and mic, scans their emails and messages, and collect the user’s location data. WhatsApp is now urging its 1.5 billion users across the globe to update the app now and has released a statement regarding the issue.
WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.
Furthermore, Facebook issued a security advisory on Monday in relation to the WhatsApp breach.
According to the advisory, “A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.”
The vulnerability exists in the following versions of WhatsApp:
- WhatsApp for Android prior to v2.19.134
- WhatsApp Business for Android prior to v2.19.44
- WhatsApp for iOS prior to v2.19.51
- WhatsApp Business for iOS prior to v2.19.51
- WhatsApp for Windows Phone prior to v2.18.348
- WhatsApp for Tizen prior to v2.18.15
More About The Spyware
According to researchers at the Citizens Lab, the vulnerability was discovered early in May, when a UK-based human rights lawyer was attacked by NSO’s flagship Pegasus program. Fortunately, WhatsApp was able to block the attack.
WhatsApp is further investigating the issue but is far from determining the estimated number of phones who were affected by the exploit, said a source to The Financial Times.
In a statement provided by WhatsApp to The Financial Times, “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,”
The statement further said, “we have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.”
The NSO sells the Pegasus program to governments and law enforcement agencies to aid in fighting terrorism and crime. But that definitely has not stopped countries, individuals and organizations to use the program undeterred by human rights concerns.
There were already incidents reported of attacks using the spyware. In 2016, NSO spyware was involved in an attack on Emirati human rights activist, Ahmed Mansoor. And in 2018, NSO’s spyware was aimed at prominent TV journalist Carmen Aristegui and eleven others while investigating a scandal involving the Mexican president
Researchers further claimed that NSO’s powerful spyware has been used in more than 45 countries to aid in persecution of dissidents, targeting journalists, and other innocent civilians.