WhatsApp Flaw Allows Attackers to Install Spyware

WhatsApp, a popular instant messenger application, patched a serious security vulnerability this week, after discovering it early this month. The exploited vulnerability allowed spyware to be installed. Signs showed that the spyware propagated from a government using surveillance to target human rights groups and activists. 

A WhatsApp spokesman has stated:

“We’re working with human rights groups on learning as much as we can about who may have been impacted from their community. That’s really where our highest concern is”

The spyware is believed to have been created by an Israeli cyber surveillance company, NSO Group. The director of cybersecurity at the Electronic Frontier Foundation, stated:

“They said they believed it was NSO Group, but they also couched it in very careful terms with many caveats, because attribution is hard”

NSO Group commented on the attack to Financial Times stating

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies…..NSO would not, or could not, use its technology in its own right to target any person or organization, including this individual.”

One target identified in the attack includes a United Kingdom based human rights lawyer. The lawyer said that he was hit on Sunday after he tried to download a WhatsApp update which was unsuccessful.

Further, the attack takes advantage of a buffer overflow vulnerability in the audio call feature of WhatsApp. This bug known as, CVE-2019-3568, present in the VOIP stack allows remote code execution (RCE).

To execute the attack, the threat actor calls its victim’s device and infects the call. The malware is installed, even if the victim does not pick up the call. Most logs of the calls were then erased.

WhatsApp has notified the U.S Department of Justice of the attack and issued a patch for the app. They are urging users to update to the latest version. Further, they did not reveal how many users were affected in the attack.

 

 

Contact LIFARS immediately if your organization was attacked