WhatsApp Vulnerability Allows Spyware to Infect Users’ Mobiles

Out of necessary caution, WhatsApp is urging its billion users to update their apps following spyware discovery. The defect lies in Whatsapp’s infrastructure – specifically the app’s phone call function -, which the Isralian-made Pegasus software managed to exploit. Whatsapp confirms that you can get infected with the spyware by a call. This is true whether or not you pick it up. Read all about it here.

Brief Overview

Spyware developers and hackers were successful in remotely installing surveillance software on devices due to a WhatsApp vulnerability. The messaging app said, “an advanced cyber actor” is behind orchestrating an attack against a “select number” of users. An Israeli security firm NSO Group is responsible for the attack. It was first discovered in the early peeks of this month. This Israeli cyber intelligence company’s spyware makes use of infected phone calls to take over the operating systems’ functions. For that reason, the company quickly addressed the problem in its infrastructure and rolled out a fix on Friday. It urges users not to overlook the upgrade for their own safety. 

WhatsApp’s Vulnerability

Attackers can use WhatsApp’s voice calling feature to ring a target’s device. Now, even if no one picks up the call, the surveillance software gets installed. Also, the call would disappear from the device’s call log like it never happened. WhatsApp’s team was lucky enough to have been the first to identify the flaw in its infrastructure. The company shared their discovery with human rights groups, selected security vendors and the US Department of Justice.

In a briefing document note for journalists, the company declared: “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.” Also, the company published an advisory to security experts warning them against potential exploitations. The statement went on: “A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.”

Whom Did it Target?

While WhatsApp claimed that it was too early to identify the number of unlucky users, it did manage to list a few. On 12 May, the cybercriminals exploited Whatsapp’s phone call vulnerability on the phone of a UK-based lawyer. Apparently, the attorney is part of a lawsuit against NSO. A group of Mexican journalists, government critics, and Saudi Arabian rebels are part of the lawsuit.

Amnesty International had previously had an ugly encounter with the NSO Group. It was once targeted by one of its tools in the past. The non-governmental organization stated that this attack is what they have feared all along. Danna Ingleton, deputy program director for Amnesty Tech said: “They’re able to infect your phone without you actually taking an action. There needs to be some accountability for this, it can’t just continue to be a wild west, secretive industry.” 

About the Spyware

NSO only deals with state intelligence agencies when Pegasus comes into the picture. Meaning its spyware is not easily accessible or attainable. Once you install the spyware on your phone, the software can extract all of the users’ data. This includes text messages, contacts, GPS location, and browser history. Add to that, the creation of new data by using the phone’s microphone and camera to record your surroundings.

The Spyware’s Developers

The NSO Group is an Israeli company previously bore the title of “cyber arms dealer”. Its dangerous software, Pegasus, can infect users’ systems and collect data from their devices.  This includes capturing data through the microphone and camera as well as gathering location data.

While this is outrageously an unacceptable violation of privacy, the NSO group saw no harm in it. As a matter of fact, they have designed this software for, believe it or not, good purposes. The exact group’s word was: “NSO’s technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.”

Whatsapp’s Response

Whatsapp warned US law enforcement about the potentials of vulnerability exploitations. It even published a “CVE notice”, alerting cybersecurity experts to “common vulnerabilities and exposures”.

WhatsApp stated: “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can and to work with them to notify civil society.”

NSO’s Response

NSO Group released a response saying: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not, or could not, use its technology in its own right to target any person or organization, including this individual.”

What About the End to End Encryption?

The spyware has dealt the messaging company a mighty blow, causing distress among 1.5 billion Whatsapp users. Amid the shocking discovery, users are now wondering about the nature of the app’s end-to-end encryption. This secure system of communication made Whatsapp both popular and secure among activists, dissidents, and all the privacy-conscious. Although the Pegasus spyware does not affect or interfere with WhatsApp’s encryption, its mere presence unsettled the app’s users.

Final Words

A Tel Aviv court will hear a petition led by Amnesty International on Tuesday. This court hearing will call for Israel’s Ministry of Defence to revoke NSO Group’s license to export its products. Hopefully, this petition will be taken into great consideration as we are constantly being dragged into privacy upheaval. Companies and governments are shaping a world where there is no stone left unturned. That’s not how we want things to be.

Exploiting data has become a profit-making hobby with the support of spyware developers as such. You cannot escape this cyber world where regimes use tools to keep activists and journalists under surveillance and companies follow up on users’ online activities to make money. There are ways in which you can chat safely of WhatsApp, and avoid certain Whatsapp versions like Whatsapp Gold to ensure privacy. But, there’s no way you can be absolutely safe unless you give up the internet. You can try and take the necessary precautions to stay safe online, but you can never be sure how well that will go or last.