Update WhatsApp now: Bug lets snoopers put spyware on your phone with just a call

Stolen Israeli surveillance software was listed on Dark Web
The staff member stole Pegasus spyware code and attempted to sell it in the Dark Web.

WhatsApp has disclosed a serious vulnerability in the messaging app that gives snoops a way to remotely inject Israeli spyware on iPhone and Android devices simply by calling the target.  

The bug, detailed in a Monday Facebook advisory for CVE-2019-3568, is a buffer overflow vulnerability within WhatsApp’s VOIP function. 

An attacker would need to call a target and send rigged Secure Real-time Transport Protocol (SRTP) packets to the phone, allowing them to use the memory flaw in WhatsApp’s VOIP function to inject the spyware and control the device. 

SEE: 10 tips for new cybersecurity pros (free PDF)

The target wouldn’t even need to answer the call for the spyware to be injected, and the calls often disappear from call logs. 

The Financial Times, which broke the story, reports the spyware is from the Israeli company NSO Group, which has been accused of selling its spyware to governments with dubious human-rights records. 

NSO Group’s flagship product is Pegasus, a so-called ‘lawful intercept’ tool, which researchers at the University of Toronto’s Citizen Lab recently found is deployed in 45 countries. 

The widespread deployment suggested it is not only being used to combat local crime and terrorism, but also for cross-border surveillance, for example, by governments seeking information from political dissidents living in other countries. 

The malware can record conversations, steal private messages, exfiltrate photos, turn on a phone’s mic and camera, and collect location data.

Last year a Citizen Lab investigation found that colleagues of a slain Mexican journalist were also targeted with Pegasus

WhatsApp engineers on Sunday were reportedly racing to address the vulnerability as it was used that day in an attempt to install Pegasus on the phone of a UK-based human-rights lawyer. 

WhatsApp deployed a server-side fix on Friday last week and issued a patch for end-users on Monday alongside Facebook’s advisory. 

The WhatsApp VOIP flaw affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15. 

According to the Financial Times, the unnamed UK lawyer who was targeted with Pegasus is suing NSO Group in Israel on behalf a group of Mexican journalists and government critics and a Saudi dissident living in Canada. The suit alleges NSO Group shares liability for its product’s misuse by clients. 

Facebook told the publication: “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human-rights organizations to share the information we can, and to work with them to notify civil society.”

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

WhatsApp says it has informed the US Justice Department about the issue. 

NSO Group distanced itself from the actual attempt to install its spyware on the UK lawyer’s phone. 

“The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions,” NSO said in a statement to CNET

“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.” 

More on Pegasus, WhatsApp, Facebook, and security

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published.