An Israeli firm has exploited a flaw in the popular messaging mobile app WhatsApp to plant spyware on iPhones and Android.
One phone call is all it takes for software developed by the Israeli firm NSO Group to install itself on a vulnerable iPhone or Android device, according to a published report in the FT Times.
The publication broke the news, saying it potentially affects 1.5 billion users of the Facebook-owned WhatsApp messaging application, on Monday.
WhatsApp quickly issued a fix for the exploit, described in an alert on the Facebook website as “a buffer overflow vulnerability in WhatsApp VOIP stack” that allows for “remote code execution via specially crafted series of SRTCP packets sent to a target phone number.”
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a company spokesperson said in a statement. “We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”
Late last week, WhatsApp also made changes to its infrastructure to deny the ability for the attack to take place. The company said it discovered the flaw earlier this month, but researchers suggested it’s been around much longer than that.
“Rumors about such security flaws were circulating since a while already, but few people took them seriously,” said Ilia Kolochenko, Founder, CEO and Chief Architect at web security company ImmuniWeb Inc.
The exploit heard around the world
The global security community was still reeling from the news on Tuesday as the ramifications of the exploit and the spyware that took advantage of it began to sink in.
Calling the news “critical and alarming,” Kolochenko noted that WhatsApp business users should be especially careful to ensure enterprise devices weren’t affected.
“All corporate users of WhatsApp should urgently launch forensics on their mobile devices to verify whether they were compromised and backdoored,” he said.Ilia Kolochenko, CEO ImmuniWeb
However, given the reach of WhatsApp across the globe, business users are hardly the only victims of NSO’s activity who should worry about the potential for an information breach, Kolochenko said.
“WhatsApp is so popular that virtually everyone is a potential victim,” he said. “Worse, today, access to someone’s smartphone likely provides access to much more sensitive information than access to a computer, for example. The ability to track the victim in real time, to listen to a device’s microphone and read instant communications are all a goldmine for cybercriminals. “
Expressing deep concern about the capabilities enabled by the spyware, WhatsApp said it believes it was used by an “advanced cyber actor” targeting only “a select number of users.”
Indeed, evidence arose over the weekend that seemed to identify the target of the attack as those involved in lawsuits that accuse NSO Group of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists, according to a report in the New York Times.
Researchers were alerted to this possibility when a London-based lawyer involved in those suits reported an attack similar to the spyware that the vulnerability makes possible.
Though quite secretive, NSO Group is known in security circles for its flagship product Pegasus, which can turn on a phone’s microphone and camera, search through e-mails and messages, and collect location data.
The company advertises its products to Middle Eastern and Western intelligence agencies, touting Pegasus as a method for helping governments combat cyberterrorism and other cyber criminal activity.
However, Pegasus also has been found on the phones of various journalists and dissidents, suggesting it’s not only used for defensive purposes, but also cyberoffensive and cyberespionage tactics.
Facebook back in the hot seat
The exploit also is more troubling news for Facebook, which faced a series of controversies last year related to its data collection and monetization practices. The company currently is facing a fine of up to $5 billion in a Federal Trade Commission investigation surrounding these practices and also spent about $3 billion in legal fees so far.
“I think this tremendous security incident will cause irreparable damage to Facebook’s reputation, as people are fed up seeing their data being sold, leaked and hacked,” Kolochenko said. “Serious legal ramifications are also foreseeable.”
It also calls into question the security of WhatsApp as a global messaging platform, said Jason Steer of security intelligence firm Recorded Future.
“The targeted surveillance attack on WhatsApp is the latest incident to highlight that even the most secure applications have vulnerabilities,” he said. “This incident is particularly notable as WhatsApp’s assurance of security and confidentiality is one of the reasons it has become the go-to messaging service for many. Vulnerabilities like this have huge implications for clandestine monitoring activity.”