Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp.
WhatsApp, which is owned by Facebook, said the attack targeted a “select number” of users and was orchestrated by “an advanced cyber actor”, BBC reported.
The attack was first discovered earlier this month and a fix was rolled out on Friday. The attack was allegedly developed by Israeli security firm NSO Group. On Monday (13.05.19), WhatsApp urged all of its 1.5 billion users to update their apps as an added precaution.
WhatsApp promotes itself as a “secure” communications app because messages are end-to-end encrypted, meaning they should only be displayed in a legible form on the sender or recipient’s device. However, the surveillance software would have let an attacker read the messages on the target’s device.
It involved attackers using WhatsApp’s voice calling the function to ring a target’s device. Even if the call was not picked up, the surveillance software would be installed and the call would often disappear from the device’s call log.
WhatsApp told the BBC its security team was the first to identify the flaw and shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” the company said on Monday in a briefing document note for journalists.
The firm also published an advisory to security specialists, in which it described the flaw as: “A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”
Some users of the app have questioned why the app store notes associated with the latest update are not explicit about the fix.
According to BBC, the NSO Group is an Israeli company that has been referred to in the past as a “cyber-arms dealer”. The business is part-owned by the London-based private equity firm Novalpina Capital, which acquired a stake in February 2019.
WhatsApp said it was too early to know how many users had been affected by the vulnerability, although it added that suspected attacks were highly-targeted.
On Tuesday (14.05.19), a Tel Aviv court will hear a petition led by Amnesty International that calls for Israel’s Ministry of Defence to revoke the NSO Group’s licence to export its products.