A zero-day vulnerability in WhatsApp could leave users open to spyware that could turn on their phone’s camera and microphone, and collect location data, the Financial Times reported on Tuesday. A software called Pegasus created by the private Israeli firm NSO Group is said to be able to take advantage of a security hole in WhatsApp’s voice call function to carry out the attack. Pegasus can also trawl through emails and messages, the FT reported.
The attackers could simply call a user to install the surveillance software, even when the call was not taken. The report has said that the call would sometimes not even show up in the user’s call log.
WhatsApp spyware attack: Are you affected?
The messaging app is used by 1.5 billion people worldwide, including more than 200 million in India, but the number of users who have been affected isn’t clear yet. WhatsApp said in a statement to the BBC that the attack had targeted a “select number” of users.
It seems WhatsApp’s Android version prior to 2.19.134, and WhatsApp Business for Android prior to version 2.19.44, are vulnerable to the spyware attack. On iOS, WhatsApp versions prior to 2.19.51 and WhatsApp Business versions prior to 2.19.51 are affected. WhatsApp for Windows Phone older than version 2.18.348, and WhatsApp for Tizen prior to 2.18.15 devices have been affected as well.
WhatsApp spyware attack: Who is responsible?
The NSO Group has denied direct involvement in the WhatsApp attack, and said that its software is operated by intelligence and law enforcement agencies. “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company told the FT. It added that it couldn’t use its own technology to target any person or organisation.
WhatsApp spyware attack: What is WhatsApp doing?
WhatsApp, which is owned by Facebook, has acknowledged a “targeted surveillance attack”, and is investigating. The company had issued a security advisory last week informing users of the attack, and asked them to update the app. “A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number,” WhatsApp said.
The company issued a patch on Monday and is said to be working around the clock to close the vulnerability. On Friday, WhatsApp also started to release a fix for its servers.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp said. The company has also reportedly briefed human rights organisations, and is working with them to inform civil society.
WhatsApp spyware attack: Should you stop calling on WhatsApp?
No. The vulnerability has been used to essentially steal data from phones. It does not seem to be able to intercept encrypted voice calls. Also, to steal this data the calls will have to be intercepted as they are happening, as no part of the call is saved at the device level. This would be tough.