Whatsapp has disclosed a vulnerability that allowed hackers to remotely install spyware on iOS and Android phones by exploiting a bug in the audio call feature of the app. The vulnerability let spyware be installed on a target device when a call was initiated regardless of whether the call was answered.
Both WhatsApp and Israeli software developer NSO Group have confirmed that an exploit in WhatsApp’s voice calling allowed attackers to load NSO’s Pegasus spyware on to Android and iOS devices.
Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via a specially crafted series of SRTCP packets sent to a target phone number.
Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
Hackers took advantage of this security flaw to install Israeli spyware called Pegasus from NSO Group, normally licensed to governments who purchase the spyware for installing on the devices of individuals who are the target of an investigation. The spyware could infect a device even if a user did not answer, and like any good spy tool, it removes traces of that malicious calls from the phone’s logs. Pegasus can use the camera and mic in addition to scooping up location and message info.
While the perpetrators have not been identified, there are suspicions that it may be a Middle Eastern country trying to clamp down on criticism of its human rights practices. There was a failed attempt on May 12th to compromise the phone of a UK-based human rights lawyer who helped a Saudi dissident in Canada and helped sue NSO for allegedly sharing in the liability of actions perpetrated by its customers.
Complicating matter, Pegasus developer NSO Group is currently under facing lawsuits over how it has provided such tools for repressive countries to track activists and the organizations that support them.
WhatsApp says that it believes a small number of users were targeted, because it is “nontrivial to deploy, limiting it to advanced and highly motivated actors”. It is not clear, though, how long the security flaw was available nor how many people were affected.
Many details about the vulnerability remain unclear, but the report suggests that the loophole was open for several weeks. In a statement, WhatsApp said:
This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.
According to the report from The Financial Times, WhatsApp is too early into its own investigations of the attack to estimate how many phones were targeted. WhatsApp reportedly disclosed the issue to the United States Department of Justice last week and started deploying a fix to its servers on Friday. Moreover, the company has frantically worked to patch up the hole ever since the vulnerability was reported earlier this month.
WhatsApp customers do not need to worry further about the exploit as the flaw should be fixed as you read this. WhatsApp delivered a server-side fix on May 10th, and release patched versions of its apps on May 13th.