May 15, 2019 at
Whatsapp is urging its users to upgrade their app as soon as possible due to a critical vulnerability found in their app. The vulnerability allows any threat actor to simply call a Whatsapp user and this will allow them to install malware on the target phone. The target does not need to even answer the call so the vulnerability can be accessed at any time that the malicious actor wishes.
The company, that is now owned by Facebook, stated that an advanced threat actor was spreading the malware, having already infected multiple mobile phones using the major vulnerability that was discovered. The spyware in question was developed by an Isreali spyware company called NSO Group and gives the attacker full remote access to the victim’s phone. This includes such powers as being able to read all messages, see contacts and activate the camera on the phone call without having to go through Whatsapp once the malware has been installed.
Authorities have been informed
Whatsapp said on Tuesday that it had already informed the
authorities of the vulnerability. The authorities mentioned by name were the US
Department of Justice and Ireland’s Data Protection Commission which is the
main regulator for Whatsapp in the EU. Both were made of aware of a
“serious security vulnerability on the Whatsapp platform.
The attack uses the voice call functionality in Whatsapp to
ring the victim’s device. This allows the malware to be installed without the
victim having to open the call at all. It could be done when the phone is out
of reach and the victim would never have a chance to protect themselves in any
England’s National Cyber Security Centre, the cybersecurity
arm of British Intelligence Services, has sent out a warning to Whatsapp users
to immediately update the software on their phones. The spy agency was quoted
as saying that it was “important to apply these updates quickly, to make
it as hard as possible for attackers to get in.”
NSO denies any wrongdoing
In a quirky twist of fate, the NSO Group has denied that it
is responsible for these attacks saying that they “would not, or could
not” use the technology made within their walls to go after |any person or
organization”. It was a finely worded response by a company that is
heavily suspected of selling malware to various intelligence agencies and
nation state-backed hacking groups. While it could be that the company has
never used the software itself, that does not absolve it of the issues that
have come to light recently.
The company further stated that it vets all of its customers
very carefully and investigates any claims of abuse of its software with all
seriousness. However, the company has recently been in the press for its
software being found on the phone of internationally celebrated Saudi
journalist Jamal Khashoggi.
Security researchers are calling this hack one of the worst
they have seen in a long time. The fact that there is nothing that a user could
possibly do to protect themselves from this is something that should not have
ever been allowed to happen. However, as soon as Whatsapp found out about the
vulnerability, they reached out to various groups such as Citizen Lab and other
human rights groups and immediately fixed the issue and pushed out a patch.
A spokesperson for the Electronic Frontier Foundation said that
the Isreali company has boasted of having no-click install capabilities for
some time now, and this latest news has shed light onto how they managed to
gain this capability.
Amnesty International said last year already that they had
been targetted by software from the company, and the most recent was a
researcher who was hacked using this vulnerability. With Whatsapp fixing the
loophole and reporting it to the authorities, Amnesty International is now
petitioning the Isreali government to revoke the malware providers export