WhatsApp is urging users everywhere to update their apps after the discovery of a major vulnerability that lets attackers read messages on targeted devices. A fix was released Friday.
The attack has been linked to NSO Group, according to reporting by The Financial Times. NSO Group is a technology and security firm based in Herzliya, Israel.
It's not known which users have been affected – or how many, though WhatsApp has indicated that they were aimed at specific targets.
The attack hinges on WhatsApp's voice call feature. By calling a device, surveillance software could be remotely installed. The attack didn't even need the call to be picked up because the flaw was in the code that established the call. The call would also disappear from the app's call log.
Though WhatsApp uses end-to-end encryption, the attack effectively bypasses this protection by reading messages from the recipient's device.
WhatsApp is owned by social media giant Facebook. "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number," the firm stated in an advisory published after the attacks came to light.
A buffer overflow happens when a memory buffer is overwhelmed with data, causing the data to spill over into other memory spaces. This can actually create space in those other memory spaces where malicious code can run. Deliberately causing buffer overflows is a common approach taken in security exploits.
What is NSO Group?
On its website, NSO Group describes itself as "[creating] technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe."
In a statement following the attacks, the company denied direct involvement in the attacks, but stopped short of disassociating its technology outright:
"NSO's technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror.
"The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.
"Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organisation."
Amnesty International is taking legal action to try to prevent the use of NSO Group technology. Pegasus, its flagship software, has been linked to security attacks on journalists and activists, including an Amnesty International employee.
How to update WhatsApp
iOS (latest version: 2.19.51)
- Open the App Store
- Tap Updates at the bottom of the screen
- Tap Update next to WhatsApp to update the app
Note: If you see an Open button next to WhatsApp, it's already up to date.
Android (latest version: 2.19.134)
- Open the Google Play store
- Tap the top-left hamburger menu
- Tap My Apps & Games
- Tap Update next to WhatsApp to update the app
Note: If you see an Open button next to WhatsApp, it's already up to date.