WhatsApp had a scary flaw that was used to secretly send spyware to smartphones simply by calling the victim up.
On Monday, the Facebook-owned messaging service disclosed the vulnerability, which affects both iOS and Android, after it was used to attack a number of victims, a WhatsApp spokesperson told PCMag.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date," the spokesperson said in an email.
According to WhatsApp, the attacks have all the hallmarks of a private company that works with governments to deliver spyware to mobile phones. Although it refrained from naming the company, WhatsApp is probably referring to NSO Group, an Israel technology firm notorious for developing a spyware program known as Pegasus that's targeted human rights activists, politicians and journalists.
The WhatsApp vulnerability allegedly allowed NSO Group to send spyware to the victims even when they had not answered a voice call over the app, according to The Financial Times, which was first to report the news.
The vulnerability deals with the voice over IP (VoIP) function on WhatsApp, which can enable internet-based voice calls. A bug in the VoIP function could let the attacker send specially-crafted data packets to essentially rewrite the app's memory, paving the way for remote code execution.
WhatsApp told PCMag it had identified the vulnerability earlier this month and promptly fixed it with patches that can be downloaded over both the iOS and Android versions of the app. The chat service has also changed its IT infrastructure to prevent the attack from ever taking place.
Recommended by Our Editors
It isn't clear how many victims were targeted. But it may have been used to attack a UK-based human rights lawyer this past Sunday, according to Citizen Lab, a watchdog group at the University of Toronto, which has been investigating NSO Group's activities.
WhatsApp has just pushed out updates to close a vulnerability. We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer. Now is a great time to update your WhatsApp software https://t.co/pJvjFMy2aw https://t.co/e8VQUraZWQ — Citizen Lab (@citizenlab) May 13, 2019
The vulnerability is found in WhatsApp for Android prior to version v2.19.134 and WhatsApp for iOS prior to v2.19.51. The WhatsApp Business apps and Windows Phone and Tizen versions are also affected. You can find out more here.
In a statement, NSO Group defended its technologies, saying they're designed for the purposes of helping governments fight crime and terrorism. "The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions," NSO Group said.
"We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies," the company added.