WhatsApp vulnerability allowed attackers to inject spyware

(CNA) –  WhatsApp on Tuesday (May 14) encouraged its users to upgrade the app to plug a security breach that allowed sophisticated attackers to sneak spyware into phones, in the latest trouble for its parent Facebook.

The vulnerability – first reported by the Financial Times – allowed hackers to insert malicious software on phones by calling the target using the app, which is used by 1.5 billion people around the world.

FT cited a spyware dealer saying that the tool was developed by a shadowy Israel-based firm called NSO Group, which has been accused of helping governments from the Middle East to Mexico snoop on activists and journalists.

And security researchers said the malicious code bore similarities to other tech developed by the firm, according to The New York Times.

The vulnerability – which impacts Android devices and Apple’s iPhones – was discovered earlier this month.

The malicious code was sent through the app’s voice call function to users’ phones. It could be transmitted even if the targets did not pick up the calls, and the calls could also disappear from call logs, reported FT.

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp said.

A fix has since been rolled out in the latest WhatsApp update.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” said a company spokesperson in response to CNA’s queries.

“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”

The company added that it has provided information to US law enforcement to help conduct an investigation.

WhatsApp has briefed human rights organisations on the matter, but did not identify them.

The Citizen Lab, a research group at the University of Toronto, said in a tweet it believed an attacker tried to target a human rights lawyer as recently as Sunday using this flaw, but was blocked by WhatsApp.

Be the first to comment

Leave a Reply