WhatsApp on Monday confrmed a cybersecurity breach that has enabled targeted spyware to be installed on phones through voice calls.
The vulnerability affects both iPhone and Android devices, with malicious code said to come from Israel's NSO Group, transmitted whether or not a user answers an infected call. The WhatsApp vulnerability is a buffer overflow weakness, enabling malicious code to be inserted into data packets sent during the process of starting a voice call. When the data is received, WhatsApp's internal buffer is forced to overflow, overwriting other parts of the app's memory, and control is given over to the application.
Facebook's WhatsApp messaging application is lauded for its end-to-end encryption, both for messaging and voice calls.
WhatsApp told the Financial Times, that "the attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society."
The security loophole was discovered early this month and the company started to deploy a fix to servers on Friday and to customers on Monday.
NSO's Pegasus software is intended for use by governments as a collection tool, enabling over the air access to devices. The software can target the microphone, camera and location data from a device, and has been described as the most sophisticated smartphone hack of all times.
Asked about the WhatsApp news, NSO said it was "investigating" and that "under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.
WhatsApp said "we encourage people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices. We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users."
WhatsApp also said it had referred the incident to the U.S. Department of Justice.
WhatsApp informed its lead regulator in the European Union, Ireland’s Data Protection Commission (DPC), of a “serious security vulnerability” on its platform.
For the average end user, the vulnerability is not something to really worry about, since WhatsApp found dicovered it and quickly fixed it.