A vulnerability discovered in Facebook’s WhatsApp messaging app is being exploited to inject commercial spyware onto Android and iOS phones by simply calling the target. The spyware was developed by the Israeli cyber intelligence company NSO Group. Attackers could transmit the malicious code to a target’s device by calling the user and infecting the call whether the recipient answered the call or not. Logs of the incoming calls were often erased
Once installed, the spyware can turn on a phone’s camera and mic, scan emails and messages, and collect the user’s location data. WhatsApp is urging its 1.5 billion global users to update the app immediately to close the security hole.
WhatsApp said that the vulnerability was discovered this month, and that the company quickly addressed the problem within its own infrastructure. An update to the app was published Monday.
Though that back-end fix alone should have patched the vulnerability, the company is still recommending that users update WhatsApp to the following latest versions:
- WhatsApp for Android: v2.19.134
- WhatsApp Business for Android: v2.19.44
- WhatsApp for iOS: v2.19.51
- WhatsApp Business for iOS: v2.19.51
- WhatsApp for Windows Phone: v2.18.348
- WhatsApp for Tizen: v2.18.15.
The hack targeted all commonly used smartphone operating systems, including Apple’s iOS, Google’s Android, Microsoft’s Windows Phone and Samsung’s Tizen.
NSO limits sales of its spyware, Pegasus, to state intelligence agencies. The spyware’s capabilities are near absolute. Once installed on a phone, the software can extract all of the data that’s already on the device (text messages, contacts, GPS location, email, browser history, etc) in addition to creating new data by using the phone’s microphone and camera to record the user’s surroundings and ambient sounds, according to a 2016 report by the New York Times.
WhatsApp has about 1.5bn users around the world. The messaging app uses end-to-end encryption, making it popular and secure for activists and dissidents. The Pegasus spyware does not affect or involve the app’s encryption.