WhatsApp, the messaging app used by more than 1.5 billion worldwide, says it’s patched a critical security vulnerability which allowed attackers to secretly infect phones with malicious spyware by just calling phone numbers over an in-app audio call.
The Facebook-owned company said the attack targeted a “select number” of users, and was orchestrated by “an advanced cyber actor,” according a statement from a WhatsApp spokesperson.
CVE-2019-3568, as the vulnerability has been documented, was discovered early this month, according to The Financial Times. It exploited a bug in the audio call feature of the app to allow the caller to inject spyware on the device being called, irrespective of whether the call was answered or not.
Also, the spyware erases the incoming call information from the logs, thus making it impossible for the targeted victim to detect the intrusion.
The FT, citing an unnamed “spyware technology dealer”, also said the “actor” was the Israeli company NSO Group, known for working with governments to install spyware.
It is also the maker of Pegasus, a program with advanced capabilities to jailbreak or root the infected mobile device, and turn on the phone’s microphone and camera, scan emails and messages, and collect all sorts of sensitive information.
“It is an unprecedented security flaw in terms of its potential to run high-profile targeted attacks,” said Ilia Kolochenko, Founder, CEO and Chief Architect at web security company ImmuniWeb Inc. “WhatsApp is so popular that virtually everyone is a potential victim. Worse, today, access to someone’s smartphone likely provides access to much more sensitive information than access to a computer for example. The ability to track the victim in real time, to listen to a device’s microphone and read instant communications are all a golden-mine for cybercriminals.”
WhatsApp’s end-to-end encryption feature, which scrambles the messages between two parties in transit so as to prevent third-parties from eavesdropping, has been a major selling-point for the application. So, the fact that malicious code could be injected by leveraging a buffer overflow vulnerability is a cause for serious concern.
To get a bit technical, the vulnerability works as follows: a buffer is a temporary area for data storage. A buffer overflow typically occurs when more data than the buffer can hold is written, causing the buffer to write the excess data to the adjacent memory location. In turn, this can sometimes cause content in that location to be overwritten, leading to unpredictable results in a program.
Attackers can exploit this bug by injecting code that’s meant to cause a buffer overflow, then writing the rest of the data to the memory address adjacent to the overflowing buffer. The overflow data might also contain malicious executable code that allows nefarious actors to run more sophisticated programs or grant themselves access to the system.
In this case, the exploit was patched on the server side, but it’s always advisable to update to the latest versions of the app for improved security and stability.