A vulnerability discovered in Facebook’s WhatsApp messaging app is being exploited to inject commercial spyware onto Android and iOS phones by simply calling the target, reports The Financial Times. The spyware, developed by Israel’s secretive NSO group, can be installed without trace and without the target answering the call, according to security researchers and confirmed by WhatsApp.
Once installed, the spyware can turn on a phone’s camera and mic, scan emails and messages, and collect the user’s location data. WhatsApp is urging its 1.5 billion global users to update the app immediately to close the security hole.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” said WhatsApp in a statement.
Facebook issued a security advisory on Monday apparently in relation to the WhatsApp vulnerability. “A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number,” according to the advisory. The vulnerability exists in the following versions of WhatsApp:
WhatsApp for Android prior to v2.19.134
WhatsApp Business for Android prior to v2.19.44
WhatsApp for iOS prior to v2.19.51
WhatsApp Business for iOS prior to v2.19.51
WhatsApp for Windows Phone prior to v2.18.348
WhatsApp for Tizen prior to v2.18.15
The vulnerability discovered in early May, was targeted as recently as Sunday when a UK-based human rights lawyer was attacked by NSO’s flagship Pegasus program, according to researchers at Citizens Lab. The attack was blocked by WhatsApp. WhatsApp is investigating the situation but is so far unable to estimate the number of phones successfully targeted by the exploit, said a source speaking to the FT.