A security vulnerability in the popular Facebook-owned end-to-end encrypted messaging app WhatsApp allowed attackers to install spyware on smartphones without any user interaction, Financial Times has reported.

Exploitation of the flaw could be triggered by making a WhatsApp call to the target device and manipulating the data packets sent to it when the call is started.

Targets do not have to take the call in order for the exploit to work, and the attackers, once they gain access, can later even delete the call from the app’s call log, erasing all overt evidence of the attack.

About the vulnerability (CVE-2019-3568)

CVE-2019-3568 is a buffer overflow vulnerability in WhatsApp VOIP stack that allows remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

The vulnerability affects:

WhatsApp for Android prior to v2.19.134

WhatsApp Business for Android prior to v2.19.44

WhatsApp for iOS prior to v2.19.51

WhatsApp Business for iOS prior to v2.19.51

WhatsApp for Windows Phone prior to v2.18.348, and

WhatsApp for Tizen prior to v2.18.15.

While the vulnerability has been spotted getting exploited only in extremely targeted attacks and exploitation is not easy for most attackers, the 1.5 billion WhatsApp users around the world are urged to upgrade their WhatsApp as soon as possible.

About the attacks

WhatsApp discovered in early May that the vulnerability was being exploited to deliver the Pegasus mobile spyware developed by Israeli company NSO Group to select targets (it is currently unknown how many).

One of the known targets, though, was a UK-based human rights lawyer who was unsuccessfully attacked on Sunday.

“We had a strong suspicion that the person’s phone was being targeted, so we observed the suspected attack and confirmed that if did not result in an infection,” John Scott-Railton, a senior researchers at the University of Toronto’s Citizen Lab, told FT. “We believe that the measures that WhatsApp put in place in the last several days prevented the attacks from being successful.”

The lawyer in question has been contracted by a group of Mexican journalists and government critics and a Saudi dissident to sue NSO Group in Israel, as they believe the company is partly responsable for any misuse of its software by clients.

NSO Group has denied being behind the attack on the lawyer or any other person or organization and said that “under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”

WhatsApp said that the US Justice Department has been informed of the vulnerability last week.

Comments from the infosec industry

Jake Moore, Security Specialist at ESET, says that while these type of highly targeted attacks are extremely rare, they should not be taken lightly.

“It is clear from this attack that cyber-criminal organisations continue to look for vulnerabilities in applications used by millions of people around the world in the hope they will find something to exploit,” he told Help Net Security.

“Rumors about such security flaws have been circulating for a while already, but few people took them seriously. All corporate users of WhatsApp should urgently launch forensics on their mobile devices to verify whether they were compromised and backdoored,” advised Ilia Kolochenko, Founder, CEO and Chief Architect at ImmuniWeb.

Matthew Aldridge, Senior Solutions Architect at Webroot, says that lines are being blurred between cybersecurity research organisations and nation-state intelligence services.

“This attack may have been in use for some time before being discovered. It highlights the importance of installing updates regularly, but it should also be a reminder to those whose lives depend upon secret communications that they need to choose their toolkit with extreme caution. Relying solely on one secure communications solution on one device isn’t enough,” he pointed out.

“The question as to whether the creators of this exploit and the associated Pegasus spy tool, NSO Group, could have used their technology directly or indirectly for potential gain in legal proceedings is a very serious one. Whether or not they did this, it does highlight the fact that such powerful and potentially dangerous organisations, and their tools, may not be under adequate oversight.”

Several human rights groups, including Amnesty International, are planning to ask an Israeli court to revoke NSO Group’s export license.