A WhatsApp zero day vulnerability has been identified which is being exploited to install spyware on users’ devices.
The flaw is a buffer overflow vulnerability is in the VOIP stack which can be exploited by sending specially crafted SRTCP packets to the targeted device.
No user interaction is required to exploit the flaw. It can be exploited by placing a call to the user’s device. It does not matter whether the call is answered, simply by placing the call, the attackers can trigger the buffer overflow condition and execute arbitrary code. As part of the attack, calls have also been deleted from the phone’s call log. The flaw is being tracked as CVE-2019-3568.
WhatsApp issued a statement Monday about the attacks it discovered saying, “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”
The attack has been attributed to “an advanced cyber actor” which has targeted “a select number” of the 1.5 billion global users of WhatsApp. The Financial Times reports that the advanced threat actor is the Israeli security company NSO Group.
NSO Group develops products that exploit zero-day vulnerabilities to install software for espionage purposes. Its software tools are often used by governments to spy on persons of interest, including human rights activists, journalists, and lawyers. According to NSO Group, its software is used for legitimate purposes, such as aiding governments in the fight against terrorism and crime.
The most notable software solution developed by the company is Pegasus, which is capable of hijacking the camera and microphone on a user’s device and collecting location data.
NSO Group has previously said it simply supplies the tools and does not identify nor personally use its software to spy on any targets. “NSO would not or could not use its technology in its own right to target any person or organisation.”
However, according to the Financial Times report, one of the individuals that has been targeted is a UK-based lawyer that is taking legal action against NSO Group on behalf of individuals who have been targeted using the firm’s software.
The vulnerable versions of WhatsApp are:
- WhatsApp for Android prior to v2.19.134
- WhatsApp Business for Android prior to v2.19.44
- WhatsApp for iOS prior to v2.19.51
- WhatsApp Business for iOS prior to v2.19.51
- WhatsApp for Windows Phone prior to v2.18.348
- WhatsApp for Tizen prior to v2.18.15
An updated version of WhatsApp was released on Monday May 13, 2019. All users of WhatsApp have been advised to update the app as soon as possible to correct the vulnerability.