WhatsApp fixes bug that let hackers take over app when answering a video call

Bug only affects WhatsApp for Android and iOS, but the issue has been fixed this week.

WhatsApp developers have fixed a bug in the Android and iOS versions of the WhatsApp mobile app that allowed hackers to take over the application when users answered an incoming video call.

Natalie Silvanovich, a security researcher with Google's Project Zero security research team, discovered the WhatsApp vulnerability at the end of August.

She described the vulnerability as a "memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation."

"Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet," Silvanovich said in a bug report. "This issue can occur when a WhatsApp user accepts a call from a malicious peer."

Only WhatsApp's Android and iOS clients are affected, as they're the only ones who use the Real-time Transport Protocol (RTP) for video conferencing. WhatsApp's web client is not impacted because it uses WebRTC for video calls.

Silvanovich also published proof-of-concept code and instructions for reproducing an attack.

According to Silvanovich, WhatsApp fixed the issue in an update released on September 28 for the Android client and on October 3 for the iPhone client.

"WhatsApp cares deeply about the security of our users. We routinely engage with security researchers from around the world to ensure WhatsApp remains safe and reliable. We promptly issued a fix to the latest version of WhatsApp to resolve this issue," a WhatsApp spokesperson told ZDNet.

The Facebook-owned company said it found no evidence of this kind of attack being carried out in practice and encouraged users to update their mobile clients to prevent any abuse.

Last week, Israel's cyber-intelligence agency sent out an alert about a new hacking technique that relied on poorly secured voicemail inboxes to hijack WhatsApp accounts from their legitimate owners. That technique was first documented last year but began being massively abused this fall.

Article updated on October 9 with statement from WhatsApp.

RELATED CYBER-SECURITY COVERAGE: