A vulnerability in the messaging app WhatsApp let attackers install spyware on the users’ phone, reported BBC News. It remains unknown how many WhatsApp users were affected. The Facebook-owned company discovered the vulnerability and issued a security advisory earlier this week, asking its users to update the app.
“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number,” WhatsApp said. The company has rolled out a fix, though it is unclear how many users were affected. WhatsApp said in a statement to BBC that the attack targeted a “select number” of users.
According to a Financial Times report, which first reported that the bug has was installed by a private Israeli security firm NSO Group, used its software Pegasus. It was able to take advantage of WhatsApp’s voice call feature to infect the phones.
The loophole allowed attackers simply to call a user and install the surveillance software even if the call was not picked up. According to FT, the call would sometimes not even show up in a user’s call log.
WhatsApp discovered in early May that attackers were using zero day exploit developed by NSO Group that installed malware on a user’s iPhone or Android phone simply by calling them. Target did not have to answer phone to be infected, and calls often disappeared from call logs https://t.co/rp6NHHWtiD
— Kim Zetter (@KimZetter) May 13, 2019
The issue seems to affect Android prior to version 2.19.134 and WhatsApp Business for Android prior to version 2.19.44. For iOS, WhatsApp prior to version 2.19.51 and WhatsApp Business prior to version 2.19.51 seems to have been affected. WhatsApp for Windows Phone prior to version 2.18.348, and WhatsApp for Tizen prior to version 2.18.15 devices have been advised to update the app as well.