WhatsApp call hack installs spyware on users’ phones

iPhones and Android devices are vulnerable to security flaw – WhatsApp recommends immediate app update

A vulnerability has been discovered in WhatsApp that allows hackers to covertly install spyware on users' phones and track their communications and even location.

The exploit, which was first reported by The Financial Times, affects both iOS and Android devices and was discovered by WhatsApp earlier this month.

The malware is delivered through a voice call on the app that doesn't even require the user to answer in order for it to be installed, According to a "spyware dealer" who spoke to the FT and WhatsApp. The spyware dealer also claimed that the attacker was then able to delete call logs, so the user may have no idea they were targeted.

It's alleged that the malicious code was developed by NSO Group, a secretive firm based in Israel that's known primarily for developing spyware under the codename Pegasus, which was discovered by the University of Toronto's Citizen Lab and cyber security firm Lookout in 2016.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Pegasus, which is sold to third parties such as government agencies, can turn on a phone's microphone and camera, and collect information from emails and messages as well as picking up location data.

As in 2016, this latest attack seems to have been used primarily to target those working in the field of human rights, with the FT reporting that a UK-based human rights lawyer was targeted on Sunday 12 May.

IT Pro contacted NSO Group for comment, but hadn't received a response at the time of publication. However, the organisation told the FT: "Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.

"NSO would not, or could not, use its technology in its own right to target any person or organisation."

Independent security researcher Graham Cluley told IT Pro it's not surprising that a vulnerability like this had been found and exploited in WhatsApp.

"Any complicated piece of software is going to have bugs. Such a widely-used piece of software like WhatsApp is going to have many more determined parties looking closely at it for vulnerabilities and exploits than something that few people use," he said

Advertisement - Article continues below

He also said it's unsurprising that a specific victim profile had been targeted by whoever has deployed the malware, rather than used to capture data on all or most users.

"Attacks like this aren't typically used against a large number of individuals, but a small, targeted group of victims that are of high value to intelligence agencies and governments," he said.

It's currently not known how long the vulnerability has been in place, however, the company issued a patch for its mobile apps yesterday and is urging all users to upgrade to the latest version as soon as possible. It has also taken steps to deny attackers the ability to use this exploit at an infrastructure level.

In a statement issued to IT Pro, a WhatsApp spokesman said: "WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices. We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020