20.7 C
Monday, December 11, 2023


WhatsApp fixed a security bug that allowed hackers to install unwanted software called ‘Spyware’ in smart devices and the vulnerability was discovered in early May.

Photo: Collected

A recently discovered zero-day vulnerability in the world’s most popular messenger ‘WhatsApp’ allowed hackers to eavesdrop on users, read their encrypted chats, turn on the microphone and camera, and install spyware that allows even further surveillance, such as browsing through the victim’s photos and videos, accessing their contact list, and so on.

What’s even worse, to exploit the vulnerability, all the hacker needs to do is call the victim on WhatsApp. Reliable information about the situation is in somewhat short supply at this point. What is known is that a specially crafted call can trigger a buffer overflow in WhatsApp, allowing hackers to take control of the application and execute arbitrary code in it.

It seems the attackers used that method not only to snoop on users’ chats and calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device. And that’s what they did, installing a spyware app.

According to Facebook, which is the owner of WhatsApp, the vulnerability is now patched. It affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15. That means only the very latest versions of the app are currently safe to use; the vulnerability was patched just a couple of days ago.

Attempts to exploit this vulnerability have already been spotted in the wild. WhatsApp’s security team had implemented some changes on the back end that allowed them to block attacks that relied on the vulnerability, but how many people were spied on and who they were have still not been disclosed.

Recently the Israeli firm linked that WhatsApp hack is facing a lawsuit backed by Amnesty International, which says it fears its staff may be under surveillance from spyware installed via the messaging service, reported by The Guardian.

The human rights group’s concerns are detailed in a lawsuit filed in Israel by about 50 members and supporters of Amnesty International Israel and others from the human rights community. It has called on the country’s ministry of defense to ban the export of NSO’s Pegasus software, which can covertly take control of a mobile phone, copy its data and turn on the microphone for surveillance.

It is also not yet fully clear which spyware app exactly was being installed in the second stage of attack, but some parties suspect that might be Pegasus, the spyware famous for its supremely flexible infection capabilities.

It’s worth mentioning that such vulnerabilities are hard to exploit and that Pegasus (assuming it was Pegasus) is expensive malware used mostly by state-sponsored actors means that if you’re of no interest to such high-profile spies, you’re probably safe. However there’s always a chance that the spying tools might be leaked and used by other actors, so it’s wise to protect yourself.

How to protect yourself from WhatsApp attacks

Our best suggestion at the moment is to make sure your WhatsApp is up to date. To do that, go to the Apple App Store or Google Play Store, look for WhatsApp and hit Update. If there’s no “Update” button, but you see the “Open” button instead, that means you have the latest version of WhatsApp, and it is already patched against such attacks. We will update this post when we have more valuable information either on the attack or on other means of protection.

Related Articles


Cloud Computing Security Issues, Threats and Controls

Cloud Computing and service models  The official NIST definition (NIST 800-145) of cloud computing says, “Cloud Computing is a model for enabling ubiquitous, convenient, on-demand...
API and Open Banking

API and Open Banking: Way for New Service Innovation for Banks and FinTech Companies

The people who gathered at a hall room of a city hotel in last month had one thing in common—they all are working in...
ISO 2001

ISO 27002: 2022 Implementation vs Reality

After almost a decade, ISO27001: 2013 is going to publish its new iteration of ISO27001:2022 in second (2nd) Quarter this year1. But prior to...
Deepfakes: The Synthetic Media I want to believe

Deepfakes: The Synthetic Media I want to believe

What Are Deepfakes? A deepfake is a sort of "synthetic media," which refers to material (such as images, audio, and video) that has been modified...
The power of API platforms

The power of API platforms brings the open banking promise into sharper focus

Open banking is a global phenomenon whose merits are felt in virtually every time zone, including those in the Asia-Pacific region. In contrast to...
Blockchains Gaming and Collusion

“Blockchains: Gaming and Collusion- A Reading in Political Economy”:  Futuristic Exploration with Fact-based Analysis

In this digital age, it has become quite common for us to constantly remain mesmerized by fascinating technologies.  However, deeper thoughts about those technologies,...