Posted on May 15, 2019 at 3:35 AM
Whatsapp is urging its users to upgrade their app as soon as possible due to a critical vulnerability found in their app. The vulnerability allows any threat actor to simply call a Whatsapp user and this will allow them to install malware on the target phone. The target does not need to even answer the call so the vulnerability can be accessed at any time that the malicious actor wishes.
The company, that is now owned by Facebook, stated that an advanced threat actor was spreading the malware, having already infected multiple mobile phones using the major vulnerability that was discovered. The spyware in question was developed by an Isreali spyware company called NSO Group and gives the attacker full remote access to the victim’s phone. This includes such powers as being able to read all messages, see contacts and activate the camera on the phone call without having to go through Whatsapp once the malware has been installed.
Authorities have been informed
Whatsapp said on Tuesday that it had already informed the authorities of the vulnerability. The authorities mentioned by name were the US Department of Justice and Ireland’s Data Protection Commission which is the main regulator for Whatsapp in the EU. Both were made of aware of a “serious security vulnerability on the Whatsapp platform.
The attack uses the voice call functionality in Whatsapp to ring the victim’s device. This allows the malware to be installed without the victim having to open the call at all. It could be done when the phone is out of reach and the victim would never have a chance to protect themselves in any way.
England’s National Cyber Security Centre, the cybersecurity arm of British Intelligence Services, has sent out a warning to Whatsapp users to immediately update the software on their phones. The spy agency was quoted as saying that it was “important to apply these updates quickly, to make it as hard as possible for attackers to get in.”
NSO denies any wrongdoing
In a quirky twist of fate, the NSO Group has denied that it is responsible for these attacks saying that they “would not, or could not” use the technology made within their walls to go after |any person or organization”. It was a finely worded response by a company that is heavily suspected of selling malware to various intelligence agencies and nation state-backed hacking groups. While it could be that the company has never used the software itself, that does not absolve it of the issues that have come to light recently.
The company further stated that it vets all of its customers very carefully and investigates any claims of abuse of its software with all seriousness. However, the company has recently been in the press for its software being found on the phone of internationally celebrated Saudi journalist Jamal Khashoggi.
Security researchers are calling this hack one of the worst they have seen in a long time. The fact that there is nothing that a user could possibly do to protect themselves from this is something that should not have ever been allowed to happen. However, as soon as Whatsapp found out about the vulnerability, they reached out to various groups such as Citizen Lab and other human rights groups and immediately fixed the issue and pushed out a patch.
A spokesperson for the Electronic Frontier Foundation said that the Isreali company has boasted of having no-click install capabilities for some time now, and this latest news has shed light onto how they managed to gain this capability.
Amnesty International said last year already that they had been targetted by software from the company, and the most recent was a researcher who was hacked using this vulnerability. With Whatsapp fixing the loophole and reporting it to the authorities, Amnesty International is now petitioning the Isreali government to revoke the malware providers export permit.