Updated A security flaw in WhatsApp can be, and has been, exploited to inject spyware into victims' smartphones: all a snoop needs to do is make a booby-trapped voice call to a target's number, and they're in. The victim doesn't need to do a thing other than leave their phone on.

The Facebook-owned software suffers from a classic buffer overflow weakness. This means a successful hacker can hijack the application to run malicious code that pores over encrypted chats, eavesdrops on calls, turns on the microphone and camera, accesses photos, contacts, and other information on a handheld, and potentially further compromises the device. Call logs can be altered, too, to hide the method of infection.

To pull this off this intrusion, the attacker has to carefully manipulate packets of data sent when starting a voice call with their victim; when these packets are received by the target's smartphone, an internal buffer within WhatsApp is forced to overflow, overwriting other parts of the app's memory and leading to the snoop commandeering the chat application.

Engineers at Facebook scrambled over the weekend to patch the hole, designated CVE-2019-3568, and freshly secured versions of WhatsApp were pushed out to users on Monday. If your phone offers to update WhatsApp for you, do it, or check for new versions manually. The vulnerability is present in the Google Android, Apple iOS, and Microsoft Windows Phone builds of the app, which is used by 1.5 billion people globally.

“A buffer overflow vulnerability in WhatsApp VoIP [voice over IP] stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number,” said Facebook in an advisory on Monday.

“The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.”

Surveillance

Exploiting this kind of vulnerability is non-trivial, though there are highly skilled organizations and companies out there developing tools that can achieve this level of surveillance, tools that are sold to government agencies and other groups to use against specific targets. This exploit would be perfect for a nation's spies keen to pry into the lives of persons of interest.

After all, why bother cracking WhatsApp's strong end-to-end encryption when you can overflow a buffer and hack the code itself?

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” Facebook told the Financial Times, which broke the news. “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”

Who could such a company be?

Miscreants were first spotted exploiting the bug in early May to infect and compromise victims' smartphones, and changes were made in WhatsApp's backend software to block further attacks prior to the team rolling out fully patched versions of the app to users. It is not yet clear how many people were targeted and spied on in total, though the WhatsApp team is still investigating. Prosecutors in the US have been alerted.

It's believed NSO Group built the exploits and surveillanceware used against WhatsApp users this month. The Israeli outfit, valued at $1bn, sells a highly capable spyware package, dubbed Pegasus, to governments around the world, ostensibly only allowing the suite to be used to snoop on and snare criminals and terrorists. Victims usually get a text message that tries to trick them into following a link that fetches and installs the software nasty. Now it seems NSO found a way to avoid any user interaction to achieve an automatic, silent infection.

NSO Group has been bragging that it has no-click install capabilities for quite some time. The real story here is that WhatsApp found the damn thing. — Eva (@evacide) May 13, 2019

Pegasus, once installed on a victim's device, can record phone calls, open messages, activate the phone’s camera and microphone for further surveillance, and relay back location data. While NSO claims it carefully vets its customers, the malware has been found on the phones of journalists, human rights campaigners, lawyers, and others.

Rap for WhatsApp chat app chaps in phone-to-pwn security nap flap READ MORE

Citizen Lab, the Canadian non-profit that helps monitor the spread of Pegasus and its ilk, said someone tried to use the VoIP exploit as late as Sunday night to infect a UK-based human rights' lawyer's phone as Facebook engineers in London and San Francisco raced to push out patched versions of their software. However, we're told, the intrusion attempt failed due to backend defenses put in place earlier that week.

It's also understood the unnamed lawyer has helped people in Mexico and Saudi Arabia, who claim they have fallen victim to NSO Group's spyware, sue the company in Israel. However, the exploit developers denied any shenanigans.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the Israeli company said in a statement. “NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer].”

Meanwhile, Amnesty International and others will this week urge the Israeli military to ban the export of NSO Group's software on the grounds it's sold to governments with, ahem, questionable track records on human rights. ®

Updated to add

The human rights lawyer told Forbes on Tuesday, he "started receiving strange video calls over WhatsApp around three weeks ago in the early hours of the morning, from a number with Sweden’s +46 country code," and tipped off Citizen Lab, which probes the use of government spyware.

The lab then told WhatsApp, which was already working on closing the security hole after noticing strange crashes in its software's usage telemetry.