Facebook-owned WhatsApp is the most popular messaging platform in the world with more than 1.5 billion active users. That makes it a big target for hackers, and one group reportedly discovered a vulnerability that allowed them to inject malware into phones. All they had to do was place a voice call.
We’re all familiar with the conventional security advice, such as don’t open suspicious attachments and don’t follow unknown web links. WhatsApp users didn’t need to do anything to end up in trouble with this bug, though. The attackers used VoIP calls in WhatsApp to transmit malware, and the target didn’t even need to answer.
WhatsApp says it identified the bug in early May, but it was already active in the wild. It rolled out a patch this week, but the company is still reluctant to talk about the specifics. This was no amateur operation, after all. Sources point to the notorious Israeli spy firm NSO Group as the perpetrator of the attack. NSO Group is known to work with governments to implant malware on targeted systems. WhatsApp reached out to several human rights groups to provide details about the bug when it realized what had happened, but NSO Group claims it wasn’t involved.
The only definitive information on the hack comes from the Facebook security advisory, which notes the hack leverages a type of bug called a buffer overflow. In these attacks, an attacker attempts to overload buffer zones in memory to force the system to load that data into less-controlled areas. This can lead to crashes or allow the attacker to access critical system components.
VoIP is not exactly a new technology, but the implementation in each app can be different. That provides opportunities for developers to inadvertently introduce vulnerabilities. WhatsApp features end-to-end encryption, ensuring that only the sender and recipient of a message can read it. The spyware injected by NSO Group allegedly allowed a third-party to see the messages after they were decrypted on the user’s phone.
This attack was highly targeted, focusing on activists and human rights attorneys. So, odds are that no one will be placing a malware call to your device. That said, other bad actors might be able to work out the method used by NSO Group to carry out a less-targeted campaign. All WhatsApp users should upgrade to the latest version of the app, which has a fix in place for the VoIP attack.
Facebook, Instagram, Oculus, WhatsApp All Offline, Company Communication Crippled [Updated]
Facebook, Instagram, Oculus, and WhatsApp all fell offline earlier today on one of Facebook's worst news days this... week.