Home > Breaking > WhatsApp Fixes Bug That Allowed Spyware to be Installed Through Simple Call

WhatsApp Fixes Bug That Allowed Spyware to be Installed Through Simple Call

14 May 2019 1:22 PM

A simple WhatsApp call — even if you didn’t answer it — was utilized by an Israeli spyware company to install malware that allowed governments to track every key stroke or call made by the user, according to a report this morning in the Financial Times.
NSO Group has allegedly developed a runaround of WhatsApp’s encrypted messaging services by hacking directly into the phone’s software simply by calling the number. The targets didn’t need to pick up to be infected, and the calls often left no trace on the phone’s log.
Victims were all political activists or anti-Israel protestors; no one else was affected by the hack.
WhatsApp, which is owned by Facebook and has 1.5 billion users worldwide, said it discovered the vulnerability in early May and released a patch for it yesterday. Officials at the company said that it bears “all the hallmarks of a private company known to work with governments to deliver spyware.”
NSO Group denied any involvement in selecting or targeting victims. It didn’t mention its role in the creation of the hack itself.
WhatsApp didn’t say how the bug worked, but WhatsApp calls use voice over internet protocol, or VoIP, to connect users. VoIP apps have to acknowledge incoming calls and notify you about them, even if you don’t pick up.
The hack was apparently done through an extremely common type of bug, known as a “buffer overflow.” Apps have a sort of holding area, called a buffer, to stash extra data. The hacker overloads that buffer so the data “overflows” into other parts of the memory. This can cause crashes or, in some cases, give attackers a foothold to gain more and more control.
“This does indeed sound like a freak incident, but at the heart of it seems to be a buffer overflow problem that is unfortunately not too uncommon these days,” says Bjoern Rupp, CEO of the German secure communication firm CryptoPhone. “Security never was WhatsApp’s primary design objective, which means WhatsApp has to rely on complex VoIP stacks that are known for having vulnerabilities.”

Leave a Reply

Send this to a friend