What’s up with WhatsApp as flaw injects spyware on phones

14 May 2019

Image: © Studio Porto Sabbia/Stock.adobe.com

WhatsApp confirms hackers were able to use call function to spy on users.

WhatsApp has confirmed that it has become the victim of a major attack where hackers were able to remotely install surveillance software on phones and other devices using a vulnerability in its app.

It has urged its 1.5bn users to update their apps as a precaution. The company said that it discovered the vulnerability this month and addressed the problem within its own infrastructure.

‘The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems’

The Facebook-owned messaging app said that attack targeted a select number of users. The attack, it said, was orchestrated by “an advanced cyber actor”.

It has been reported that the spyware was developed by the Israeli cyber intelligence company NSO Group.

Military-grade attack

Attackers were able to transmit the malicious code to a target device by simply calling the user and infecting the call, whether the user answered or not.

The frightening implication is that this military-grade capability actually exists and can target specific users.

In a technical update, Facebook said: “A buffer overflow vulnerability in WhatsApp VOIP [voice over IP] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.

“The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348 and WhatsApp for Tizen prior to v2.18.15.”

The attack was exposed by the Financial Times, which reported that the vulnerability was used in an attempted attack on the phone of a UK-based lawyer involved in a lawsuit against NSO that was brought by a group of Mexican journalists, government critics and a Saudi dissident.

WhatsApp said it has has alerted US law enforcement to the attack as well as sharing information with human rights groups and security vendors.

“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” WhatsApp said on Monday (13 May).

Human rights group Amnesty International said it is is supporting legal action to take the Israeli Ministry of Defense (MoD) to court to demand it revokes the export licence of NSO Group, an Israeli company whose spyware products it claims have been used in attacks on human rights defenders around the world.

In a petition to be filed today (14 May) at the district court of Tel Aviv, Amnesty Israel and other groups will show how the Israeli MoD has put human rights at risk by allowing NSO to export its products.

“There is growing evidence of the use of a particularly invasive piece of NSO Group spyware called ‘Pegasus’ to target activists globally, including at least 24 human rights defenders, journalists and parliamentarians in Mexico; an Amnesty employee; Saudi activists Omar Abdulaziz, Yahya Assiri, Ghanem Al-Masarir; award-winning Emirati human rights campaigner Ahmed Mansoor; and, reportedly, murdered Saudi journalist Jamal Khashoggi,” Amnesty said in a statement.

“Last August, an Amnesty staff member received a WhatsApp message in Arabic with a link claiming to be about a protest outside the Saudi Arabian embassy in Washington DC, sent when Amnesty was campaigning for the release of jailed Saudi women activists. If clicked, Pegasus software would have infected the Amnesty employee’s phone, taking near-total control of the cameras and microphone, tracking keystrokes and accessing contact lists,” Amnesty warned.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years