WhatsApp hit by security spyware flaw – update immediately
Instant messaging app WhatsApp has revealed that it has just discovered a serious security flaw that could allow someone to spy on the device of a WhatsApp user just by calling them using the app.
WhatsApp also confirmed that it had discovered evidence that an unknown number of people have already been exploiting this flaw to spy on other WhatsApp users.
On Monday, WhatsApp advised all of its users to update their versions of the messaging app to the latest version as soon as possible. Here’s your questions answered.
What was the security flaw?
The security flaw (which was discovered in early May by the Instagram security team) allowed an attacker to call a user with the WhatsApp phone call feature and install spyware on the device being called, regardless of whether the user being called answered or not.
The flaw is called a “buffer overflow” vulnerability. It’s a common type of vulnerability where a piece of software is inadvertently given access to memory it shouldn’t have access to because it overflows the memory it should have access to.
While Instagram found the flaw in early May, it confirmed that certain people had already begun taking advantage of it, meaning this is a zero-day vulnerability. I.e. people outside of Instagram had discovered the flaw and exploited it before Instagram had a chance to begin fixing it. As such, the usual security advice of keeping your apps up-to-date would not have worked in this case.
This is also a flaw that does not rely on any interaction on behalf of the victim, since it did not matter if the victim answered the call that initiated the attack. These are the most serious of security flaws.
Instagram has said that they have rendered the flaw inoperable and released an update that fixes it.
Sponsored Content. Continued below...
Who was exploiting this flaw?
WhatsApp has said that those exploiting the flaw were installing spyware developed by the NSO Group. This is an Israeli company that famously sells spyware and other types of surveillance software to governments in order to – they claim- help fight “crime and terror”.
However their software is often linked to the surveillance of people such as human rights activists, lawyers and journalists. The NSO Group is often referred to as a “cyber-arms dealer”.
How many people were affected? Was I affected?
We don’t know, and probably not. But you need to update WhatsApp anyway.
It is likely, given that this spyware found was developed by the NSO Group, that the flaw and subsequent spyware was highly targeted (as opposed to being sent out en masse, which would increase the chances of discovery.)
As such, the flaw and spyware was probably being used to spy on specific people, so the chances of the average WhatsApp user being targeted is quite low. However the flaw is real, and other attackers could exploit it. So make sure you update (more on that below.)
Sponsored Content. Continued below...
What could the spyware do?
The spyware that was developed by the NSO Group (which has been installed on devices as a result of the flaw) could most likely read WhatsApp messages. WhatsApp is famous for its end-to-end encryption, meaning theoretically only the sender and recipient can read messages sent in a chat. As such, software (spyware) that could monitor messages sent through WhatsApp would be highly sought after by those wishing to engage in surveillance.
It is not presently know if the spyware could reach outside the confines of a user’s device and spy on data contained within other apps.
How do I update WhatsApp
Most users set the app to update automatically. If you don’t – or you’re unsure – follow the advice below.
Android
– Open the Google Play store.
– Tap the menu at the top left of the screen.
– Tap My Apps & Games.
– If WhatsApp has recently been updated, it appears in the list of apps with a button that says Open.
– If WhatsApp has not been automatically updated, the button says Update. Tap Update to install the latest version of the app.
– The latest version of WhatsApp on Android is 2.19.134.
iOS
– Open the App Store.
– At the bottom of the screen, tap Updates.
– If WhatsApp has recently been updated, it appears in the list of apps with a button that says Open.
– If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the latest version of the app.
– The latest version of WhatsApp on iOS is 2.19.51.