Engineers at WhatsApp HQ have been working around the clock to patch up a loophole that allowed malicious attackers to install surveillance spyware on to iPhones and Android phones.
The bug, detailed in Facebook advisory for CVE-2019-3568, is a buffer overflow vulnerability within WhatsApp’s VOIP function. An attacker would only need to call a target and send rigged Secure Real-time Transport Protocol (SRTP) packets to the phone, allowing them to use the memory flaw in WhatsApp’s VOIP function to inject the spyware and control the device.
In other words, the flaw lets hackers install surveillance spyware on mobile phones when people made or got calls. But that’s not all – the malicious spyware code could be transmitted even if users did not answer their phones and calls often disappeared from call logs straight after.
In their report on the security breach, The Financial Times identified the firm responsible as Israel’s NSO Group, and WhatsApp all but confirmed the identification. NSO Group has long maintained that its products are sold to government agencies solely for the purpose of fighting terrorism and aiding law enforcement investigations, and in a statement on Monday, they claimed that its spyware was strictly licensed to government agencies and that it would investigate any “credible allegations of misuse.”
However, NSO’s spyware has recently been discovered in use by governments with questionable human-rights records like the United Arab Emirates, Saudi Arabia and Mexico. What’s worse, NSO spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi in Istanbul last year.
According to the FT report, cyber hackers had been using the loophole up until Sunday evening, when it was used to target a London-based human rights lawyer. The lawyer, who declined to be identified, has been involved in lawsuits that accuse NSO Group of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists.
WhatsApp described the hackers as having “all the hallmarks of a private company that works with a number of governments around the world, “adding that they do so “to deliver spyware that reportedly takes over the functions of mobile phone operating systems”.
At present, the Facebook-owned company that boasts over 1.5bn users worldwide has not yet determined how many phones were targeted using this method. However, the company has advised that all users should update to the latest version of WhatsApp, which was issued on Monday.
While the loophole may be patched up, the security breach could cause serious problems for WhatsApp’s reputation, which has been built on the privacy and security of the end-to-end encryption in its highly popular messaging and call app.
