WhatsApp vulnerability allowed attackers to inject spyware

WhatsApp vulnerability allowed attackers to inject spyware

WhatsApp messaging application is seen on a phone screen
The WhatsApp messaging application is seen on a phone screen Aug 3, 2017. (Photo: Reuters/Thomas White)

SINGAPORE: WhatsApp on Tuesday (May 14) encouraged its users to upgrade the app to plug a security breach that allowed sophisticated attackers to sneak spyware into phones, in the latest trouble for its parent Facebook.

The vulnerability - first reported by the Financial Times - allowed hackers to insert malicious software on phones by calling the target using the app, which is used by 1.5 billion people around the world.

FT cited a spyware dealer saying that the tool was developed by a shadowy Israel-based firm called NSO Group, which has been accused of helping governments from the Middle East to Mexico snoop on activists and journalists.

And security researchers said the malicious code bore similarities to other tech developed by the firm, according to The New York Times.

The vulnerability - which impacts Android devices and Apple's iPhones - was discovered earlier this month.

The malicious code was sent through the app's voice call function to users' phones. It could be transmitted even if the targets did not pick up the calls, and the calls could also disappear from call logs, reported FT.

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp said.

A fix has since been rolled out in the latest WhatsApp update. 

"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," said a company spokesperson in response to CNA's queries.

"We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users."

The company added that it has provided information to US law enforcement to help conduct an investigation.

WhatsApp has briefed human rights organisations on the matter, but did not identify them.

The Citizen Lab, a research group at the University of Toronto, said in a tweet it believed an attacker tried to target a human rights lawyer as recently as Sunday using this flaw, but was blocked by WhatsApp.

SOFTWARE FOR "FIGHTING CRIME AND TERROR": NSO

When asked about the WhatsApp attacks by FT, NSO said it was investigating the issue.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company was quoted as saying.

The firm said on Tuesday that it only licenses its software to governments for "fighting crime and terror".

The NSO Group said in a statement to AFP that it "does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement (organisations) determine how to use the technology to support their public safety missions".

"We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system."

NSO is best known as a supplier of mobile surveillance tools to governments and law enforcement agencies. It came to prominence in 2016 when researchers accused it of helping to spy on an activist in the United Arab Emirates. 

Its best-known product is Pegasus, a highly invasive tool that can reportedly switch on a target's phone camera and microphone, and access data on it.

It was in the spotlight in 2017 amid allegations that the Mexican government had used its Pegasus mobile spyware to target private citizens.

Source: CNA/Agencies/nc(mn)

Bookmark