Last weekend, popular messaging app WhatsApp, owned by Facebook and used by 1.5bn people worldwide, was used by attackers to inject commercial spyware on to phones.
The Financial Times revealed that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. As late as Sunday, while WhatsApp engineers worked hard to close the loophole, a UK-based human rights lawyer’s phone was targeted.
The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack.
As yet, Facebook are not certain how many phones were targeted using this method, and all WhatsApp users are being advised to update their app to the latest release.
Mike Campin, VP Engineering at mobile threat defence specialist, Wandera, explains the likely impacts of this vulnerability and how IT teams should respond.
“This new type of attack is deeply worrying and shows how even the most trusted mobile apps and platforms can be vulnerable. While this attack is based on a previously identified exploit known as Pegasus, the fact that it has been repackaged into a form that can be delivered via a simple WhatsApp call has shocked many. While WhatsApp is not typically used as an official corporate messaging application, it is used widely internationally on both employees’ personal devices as well as on corporate-issued devices, and once exploited via this new attack, the attacker has complete control and visibility of all data on the phone.
“IT teams have an urgent job to do. First, they need to take inventory of how many of their users are currently running an outdated version of WhatsApp on their devices to assess potential vulnerabilities. They need to instruct all their staff to update to the latest versions of WhatsApp, which were released on the App Store and Google Play on 10 May 2019. Then, they need to revisit their policies on which apps their employees can use for work purposes, whether that be on their own personal smartphones or corporate-issued devices.
“Bear in mind that this isn’t the first time WhatsApp’s security has been brought into question. We’ve seen recent incidents of ‘whishing’ – phishing messages over WhatsApp – that have been launched to dupe users. WhatsApp’s ‘end-to-end-encryption’ badge certainly shouldn’t be mistaken as a guarantee that communications are secure.”