A major vulnerability in messaging app WhatsApp allowed hackers to remotely install surveillance software on phones and other devices. This allowed hackers to read private messages, activate the camera and microphone on the device as well as access other sensitive information.
Facebook owned WhatsApp said the attack by “an advanced cyber actor” targeted a “select number” of its 1.5bn users and that a fix was rolled out on Friday.
According to a report in the Financial Times, the attack was developed by Israeli security firm NSO Group and discovered earlier this month.
It involved attackers using WhatsApp’s voice calling function to ring a target’s device. Even if the call was not picked up, the surveillance software would be installed. According to the FT, the call would often disappear from the device’s call log, leaving the target completely unaware of the breach.
WhatsApp said it was too early to know how many users had been affected by the vulnerability, although it added that suspected attacks were highly-targeted.
In an advisory to security specialists, WhatsApp described the issue as: “buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.”
According to the company, “the issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.”
A briefing not sent to journalists said: “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”
NSO have refuted the allegation they were involved, saying: “NSO’s technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror.
“The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organisation.”