Facebook-owned WhatsApp is the most popular messaging platform in the world with more than 1.5 billion active users. That makes it a big target for hackers, and one group reportedly discovered a vulnerability that allowed them to inject malware into phones. All they had to do was place a voice call.
We’re all familiar with the conventional security advice, such as don’t open suspicious attachments and don’t follow unknown web links. WhatsApp users didn’t need to do anything to end up in trouble with this bug, though. The attackers used VoIP calls in WhatsApp to transmit malware, and the target didn’t even need to answer.
WhatsApp says it identified the bug in early May, but it was already active in the wild. It rolled out a patch this week, but the company is still reluctant to talk about the specifics. This was no amateur operation, after all. Sources point to the notorious Israeli spy firm NSO Group as the perpetrator of the attack. NSO Group is known to work with governments to implant malware on targeted systems. WhatsApp reached out to several human rights groups to provide details about the bug when it realized what had happened, but NSO Group claims it wasn’t involved.
The only definitive information on the hack comes from the Facebook security advisory, which notes the hack leverages a type of bug called a buffer overflow. In these attacks, an attacker attempts to overload buffer zones in memory to force the system to load that data into less-controlled areas. This can lead to crashes or allow the attacker to access critical system components.
VoIP is not exactly a new technology, but the implementation in each app can be different. That provides opportunities for developers to inadvertently introduce vulnerabilities. WhatsApp features end-to-end encryption, ensuring that only the sender and recipient of a message can read it. The spyware injected by NSO Group allegedly allowed a third-party to see the messages after they were decrypted on the user’s phone.
This attack was highly targeted, focusing on activists and human rights attorneys. So, odds are that no one will be placing a malware call to your device. That said, other bad actors might be able to work out the method used by NSO Group to carry out a less-targeted campaign. All WhatsApp users should upgrade to the latest version of the app, which has a fix in place for the VoIP attack.
Apple Files Lawsuit Against NSO Group for its Pegasus Spyware Attacks
Apple has announced a lawsuit against NSO Group and its parent company over its Pegasus spyware, seeking to prevent the group from using any of Apple's services and hardware in the future.
Facebook’s New ‘Onavo Protect’ VPN is a Spyware App
Facebook's new VPN feature gives the company specific information to datamine your online activity while pretending this presents a benefit to end users. Don't be fooled.
Microsoft’s Windows Defender ATP Catches Law Enforcement Spyware
Microsoft has developed its threat detection model enough to catch professional malware. There's an impressive difference between the level of expertise in these high-end samples versus conventional malware products.