What just happened? A vulnerability in WhatsApp was disclosed earlier this month that allowed attackers to inject spyware onto phones. NSO Group, an Israeli cyber arms firm behind the development of spyware Pegasus, is known for selling such commercial spyware to governments and intelligence agencies. The malicious code worked by transmitting itself to a recipient's phone via a WhatsApp call without the need to answer it and then removed traces of the missed call from the phone's logs.
WhatsApp is used by over 1.5 billion people and remains one of the most popular messaging and VoIP service. While it does offer "Security by Default" in the form of end-to-end encryption, there will always be vulnerabilities existing in the wild that keep companies leapfrogging one another in the form of exploits and security patches.
One such incident took place earlier this month when a vulnerability in WhatsApp was discovered that allowed infiltration of spyware onto phones and thus use the recipient's camera, mic, location and messaging information as part of a 'targeted' surveillance attack.
The details of this vulnerability surfaced in a report from The Financial Times. While the perpetrators are yet to be identified, a Middle Eastern country is currently under suspicion, known for suppressing criticism of its human rights practices as the targets of this attack seem to be human rights lawyers and activists. According to WhatsApp, the attack targeted a "select number" of users, planned by "an advanced cyber actor."
"This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems," WhatsApp said in a statement. "We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society."
The NSO rejected any involvement in this act and said "Under no circumstances would NSO be involved in operating or identifying of targets of its technology."
WhatsApp, which is owned by Facebook, also published an advisory to security specialists in which it described the flaw as: "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of STRCP packets sent to a target phone number."
The flaw has since been fixed and the company delivered a server-side fix on May 10th and its engineers worked through Sunday to release the patched versions of its app on May 13th. As always you can download the latest version of WhatsApp right here.