It’s been confirmed this week that a group of hackers were able to successfully install surveillance software on mobile phones remotely by exploiting a major vulnerability in the Facebook owned messaging service, WhatsApp.

WhatsApp have said that the cyber-attack was coordinated by an advanced cyber actor and that it targeted a select number of users. It’s been suggested that the select users may have been human rights organisations and a lawyer based in the UK.

First discovered at the start of May 2019, WhatsApp have said that they have fixed the security hole in an update and is urging users to update their app.

The vulnerability that enabled the hackers to perform this cyber-attack is said to affect all previous versions of the app prior to the latest update, below are the versions of the app that have been patched to include the vulnerability fix.

WhatsApp-Security-Vulnerability
  • Android
    • WhatsApp v2.19.134
    • WhatsApp Business v2.19.44
  • iOS
    • WhatsApp v2.19.51
    • WhatsApp Business v2.19.51
  • Windows Phone
    • WhatsApp v2.18.348
  • Tizen
    • WhatsApp v2.18.15

The vulnerability has been quantified by Facebook in a security bulletin to security specialists as;

A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.

This means that attackers could install surveillance software onto mobile phones through the apps voice call feature, without the need for the user to pickup/answer the WhatsApp call, even removing the call from the call log.

It’s been reported (not confirmed) that the attack was developed by an Israeli cyber technology firm, NSO Group, the same firm that was allegedly responsible for the first remote iOS jailbreak back in 2016.