WhatsApp has disclosed a serious vulnerability in the messaging app that gives snoops a way to remotely inject Israeli spyware on iPhone and Android devices simply by calling the target.
The bug, detailed in a Monday Facebook advisory for CVE-2019-3568, is a buffer overflow vulnerability within WhatsApp's VOIP function.
An attacker would need to call a target and send rigged Secure Real-time Transport Protocol (SRTP) packets to the phone, allowing them to use the memory flaw in WhatsApp's VOIP function to inject the spyware and control the device.
SEE: 10 tips for new cybersecurity pros (free PDF)
The target wouldn't even need to answer the call for the spyware to be injected, and the calls often disappear from call logs.
While WhatsApp does support end-to-end encryption, which should protect the content of communications between users, this security measure can be undermined if a device is compromise by malware.
The Financial Times, which broke the story, reports that the spyware is from the Israeli company NSO Group, which has been accused of selling its spyware to governments with dubious human-rights records.
NSO Group's flagship product is Pegasus, a so-called 'lawful intercept' tool, which researchers at the University of Toronto's Citizen Lab recently found is deployed in 45 countries.
The widespread deployment suggests it is not only being used to combat local crime and terrorism, but also for cross-border surveillance, for example, by governments seeking information from political dissidents living in other countries.
The malware can record conversations, steal private messages, exfiltrate photos, turn on a phone's mic and camera, and collect location data.
Last year a Citizen Lab investigation found that colleagues of a slain Mexican journalist were also targeted with Pegasus.
WhatsApp engineers on Sunday were reportedly racing to address the vulnerability as it was used that day in an attempt to install Pegasus on the phone of a UK-based human-rights lawyer.
WhatsApp deployed a server-side fix on Friday last week and issued a patch for end-users on Monday alongside Facebook's advisory.
The WhatsApp VOIP flaw affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
According to the Financial Times, the unnamed UK lawyer who was targeted with Pegasus is suing NSO Group in Israel on behalf a group of Mexican journalists and government critics and a Saudi dissident living in Canada. The suit alleges NSO Group shares liability for its product's misuse by clients.
Facebook told the publication: "This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human-rights organizations to share the information we can, and to work with them to notify civil society."
WhatsApp says it has informed the US Justice Department about the issue.
NSO Group has distanced itself from the actual attempt to install its spyware on the UK lawyer's phone.
"NSO would not or could not use its technology in its own right to target any person or organization, including this individual," NSO Group told ZDNet.
The company argues that its technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror.
"The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public-safety missions," NSO group said.
It added that it investigates any credible allegations of misuse and if necessary, takes action, which could include shutting down the system.
"Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law-enforcement agencies," NSO Group said.
More on Pegasus, WhatsApp, Facebook, and security
- Android beware: State-backed Pegasus spyware is found using phones to eavesdrop and grab data
- 'Lawful intercept' Pegasus spyware found deployed in 45 countries
- French government releases in-house IM app to replace WhatsApp and Telegram use
- Pegasus gov't spyware used to target colleague of slain drug cartel journalist
- Facebook harvested 1.5 million user email contacts without permission
- Over 540 million Facebook records found on exposed AWS servers
- Online security 101: How to protect your privacy from hackers, spies, and the government
- WhatsApp caps message forwarding to five instances to fight fake news
- Programmer tried to sell cyberweapon on dark web for $50M: Reminder to secure employees TechRepublic
- WhatsApp vulnerability allowed secretive installation of spyware CNET