Yesterday, we commented on an update from WhatsApp Messenger which introduced a new feature for the service, which has not exactly been deployed yet. The update, however, did more than present a new feature: it fixed a serious safety issue Discovered by Facebook at the beginning of this month.
More precisely, the flaw allowed crackers remotely install a spyware (software with the function of spying on activities performed on devices and collecting information) through WhatsApp, both on iOS and Android, as reported by TechCrunch.
To this end, crackers took advantage of a vulnerability in the app's audio calling feature that allowed the spyware installed on the device when a call was initiated (regardless of whether it was answered or not).
As for spy software, Facebook has revealed that this is the spyware Israeli Pegasus, an old acquaintance of Apple's security experts. The technology, allegedly authored by the NSO Group (which helps government agencies prevent and investigate terrorism and cybercrime), is typically licensed to countries that want to install it on devices of targeted investigators.
WhatsApp believes that a small number of users have been attacked as this is not “trivial to implement, limiting its installation to advanced and highly motivated actors”. It is not clear, however, how long ago the breach existed (it was only discovered at the beginning of the month) and how many people were affected.
WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up-to-date to protect against potential targeted exploits designed to compromise information stored on mobile devices.
As for the NSO Group, the Financial times reported that the company is aware of the attack and is investigating it. The Israeli firm, however, pointed out that it "does not engage with the actual applications" of its software, stating that it "examines all its customers and investigates possible abuses, but has nothing to do with how their code is used or against whom" .
WhatsApp also said it notified the US Department of Justice and "some human rights organizations" about the matter. No more, the update released yesterday by the company (version 2.19.51) fixes the issue for all users once and for all; therefore, update it immediately.