WhatsApp is encouraging users to update to the latest version of the app after discovering a vulnerability that allows spyware to be planted into a user’s phone through the apps phone call feature. The spyware was developed by the Israeli cyber intelligence company NSO Group. Attackers could transmit the malicious code to a target’s device by calling the user and corrupting the call whether or not the recipient answers the call.
WhatsApp said that the vulnerability was discovered this month and the firm worked quickly to address the problem. An update to the app was done on Monday and the company is now encouraging everyone to update.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” WhatsApp said in a statement. “We have briefed a number of human rights organizations to share the information we can and to work with them to notify civil society.”
The firm also published an advisory to security specialists, in which it described the flaw as: “A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”
The NSO Group is an Israeli company that has been referred to in the past as a “cyber-arms dealer”. NSO’s software has the ability to collect intimate data from a target device including taking data through the microphone and camera plus gathering locations.
In a statement, the group said: “NSO’s technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror.
“The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organisation.”
It is too early to know how many users have been affected by the vulnerability but WhatsApp did was the attacks were highly-targeted.
