Reliable information about the situation is in somewhat short supply at this point. What is known is that a specially crafted call can trigger a buffer overflow in WhatsApp, allowing hackers to take control of the application and execute arbitrary code in it. It seems the attackers used that method not only to snoop on users’ chats and calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device. And that’s what they did, installing a spyware app.
According to Facebook, which is the owner of WhatsApp, the vulnerability is now patched. It affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15. That means only the very latest versions of the app are currently safe to use as the vulnerability was patched just a couple of days ago.
Attempts to exploit this vulnerability have already been spotted in the wild. WhatsApp’s security team had implemented some changes on the back end that allowed them to block attacks that relied on the vulnerability, but how many people were spied on and who they were have still not been disclosed.
It is also not yet fully clear which spyware app exactly was being installed in the second stage of attack, but some parties suspect that might be Pegasus, the spyware that is famous for its supremely flexible infection capabilities.
It’s worth mentioning that such vulnerabilities are hard to exploit and that Pegasus (assuming it was Pegasus) is expensive malware used mostly by state-sponsored actors. That means that if you’re of no interest to such high-profile spies, you’re probably safe. However there’s always a chance that the spying tools might be leaked and used by other actors, so it’s wise to protect yourself.
“The publicly available information shows that an attacker could execute arbitrary code within the WhatsApp application, thereby gaining access to a wide range of data stored in the device memory, such as the correspondence archive, as well as the camera and microphone,” says Victor Chebyshev, anti-malware expert at Kaspersky Lab.
“The latest information suggests that the attackers used several vulnerabilities, including zero-day vulnerabilities for iOS, and the attack was multi-stage, allowing an attacker to gain a foothold on the device by installing a spyware application on it. Given that these vulnerabilities were apparently exploited on both Android and iOS devices, they are very dangerous. We urge all users to look out for and to install, without delay, any newly released software updates that block vulnerabilities exploited by the malware,” added Chebyshev.
How to protect yourself from WhatsApp attacks
Kaspersky Lab advises users to make sure their Whatsapp is up to date. To do that, go to the Apple App Store or Google Play Store, look for WhatsApp and hit Update. If there’s no “Update” button, but you see the “Open” button instead, that means the latest version of WhatsApp is already installed on the device and it is already patched against such attacks.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for 21 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.