If you’ve got Whatsapp installed on your phone – which you most likely do – we highly suggest that you go and update your phone now.
You’re a missed call away from being hacked
The Facebook-owned company has just revealed in a statement that its service had a vulnerability which allowed cybercriminals to install spyware onto a target’s phone. The worst part is that you would not even find out it had happened.
The attackers utilized a bug that allowed them to remotely install spyware on a target’s phone, be it an iPhone or Android device, by simply calling them. It did not matter if the call was answered or not. To make matters worse, after the deed had been done, the call would often disappear from victims’ call logs, and they’d be none the wiser.
A targetted attack using Israeli software
Around 1.5 billion people use Whatsapp, and the company has not been able to give an accurate estimate as to how many users had been hacked in this manner. It seems the attack was targetted at certain individuals and groups, namely journalists, activists and human rights organizations.
As for the organization behind developing this spyware, Whatsapp has weighed in without outright calling names.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” WhatsApp said to the media in a statement.
According to the Financial Times (FT), which was the first to report the issue, the malicious surveillance software was “developed by the secretive Israeli company NSO Group.”
“NSO advertises its products to Middle Eastern and western intelligence agencies, and says Pegasus (its flagship product) is intended for governments to fight terrorism and crime,” the FT continued. Pegasus is “a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data.”
“In the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones,” the FT said.
Asked about the WhatsApp attacks by the FT, NSO said it was investigating the issue.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said. “NSO would not, or could not, use its technology in its own right to target any person or organisation.”
Still, and according to The Verge, this “hasn’t stopped the company’s spyware from being used by countries, organizations, and individuals undeterred by human rights concerns. In 2018, NSO’s spyware was aimed at prominent TV journalist Carmen Aristegui and 11 others while investigating a scandal involving the Mexican President.”
Whatsapp identified the security loophole in early May
Whatsapp learned of its service’s vulnerability earlier this month, and put its engineers to work around the clock to solve it.
An update has been made available on the App Store and on Google Play.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesman said, as reported by Reuters.