It is unclear whether the WhatsApp vulnerability has been exploited or how many victims have been targeted.
WhatsApp is used by roughly 1.5 billion people around the world, and the presence of a security hole that can be exploited for conducting spying on targeted individuals is certainly a troubling discovery.
According to security researchers at an Israeli firm NSO Group, which supplies spying tools, claim that their technology can be used to exploit WhatsApp’s security flaw and access the digital communications of Android and iPhone users.
Resultantly, engineers at WhatsApp in San Francisco and London have come up with a security patch and are urging customers to run the update immediately. Currently, it is unclear how many phones have been targeted with this technique but a UK-based lawyer Omar Abdulaziz claims that his phone has been targeted by this method.
The latest WhatsApp update does not state anything about the vulnerability.
In their official statement, WhatsApp stated that:
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.”
The flaw was identified by WhatsApp earlier in May. According to their assessment, attackers can exploit the flaw to install surveillance software by calling their targets using the application’s phone call feature. This technique works on both the iPhone and Android phones.
Furthermore, NSO Group has developed a malicious code that can be executed even if the target didn’t answer the phone call made via WhatsApp. As soon as the spyware is installed, the call disappears from call logs. After the malicious code is inserted, the attacker can easily obtain data from the phone.
According to the New York Times, researchers at the University of Toronto’s Citizen Lab have assessed that a group of Mexican activists and journalists are the key targets of this campaign but the list may be longer. They further claimed that a spyware attack launched on Sunday was associated with the same WhatsApp flaw the patch for which was released on Monday.
NSO Group is a well-known Israeli firm valued at $1bn, its most famous product is Pegasus that can turn on the camera and microphone of the phone to access emails or messages and obtain location data. The main target market of NSO Group is Middle Eastern as well as Western intelligence agencies while Pegasus is developed for governments with the aim to fight crimes and terrorism through surveillance tactics.
It is worth mentioning that NSO is the same Group suffered a breach last year after one of its employees stole its secrets and listed them on dark web marketplaces to make a profit.
In a comment to the Financial Times, WhatsApp said that “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.”
Facebook, on the other hand, has also issued a statement revealing that “A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.”
Winston Bond, EMEA Technical Director, Arxan Technologies also commented on the issue and said that: “The attack on WhatsApp is based on using a bug in the code to give the attackers control over what it does. It takes a lot of research and reverses engineering to create an attack like that.”
“Nothing will stop bugs, but app hardening would have made that research phase much harder and could have given Facebook a heads-up that someone was tinkering with their app. Unfortunately, too many consumer-facing apps are published without any serious protection against reverse engineering. It’s time that changed,” Bond added.
If you are using WhatsApp, update it to the latest version. Here is how to update your WhatsApp on iPhone and Android devices:
For iOS devices:
- Open the App Store
- At the bottom of the screen, tap Updates
- If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
- If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
- The latest version of WhatsApp on iOS is 2.19.51
For Android devices:
- Open the Google Play store
- Tap the menu at the top left of the screen
- Tap My Apps & Games
- If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
- If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
- The latest version of WhatsApp on Android is 2.19.134
