WhatsApp patches security flaw that allows attackers to deliver malware through calls
WhatsApp is urging its 1.5 billion users to update their app after the company detected sophisticated hacking attempts that might have targeted human rights activists.
The Facebook subsidiary said “an advanced cyber actor” exploited a security flaw and installed the malware by targeting users’ mobile phones through WhatsApp’s call function, potentially allowing hackers to access private messages, location data and other information. The company said it detected the pattern of abnormal phone calls this month, updated its servers Friday, and issued new versions of its iPhone and Android apps Monday.
“We believe a select number of users were targeted through this vulnerability by an advanced cyber actor. The attack has all the hallmarks of a private company that reportedly works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”
WhatsApp did not identify the company. But the Financial Times, which first reported the vulnerability, said the spyware was developed by Israel’s NSO Group, whose software is known to have been used against human rights activists. NSO denied having any involvement.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said in a statement Tuesday. “NSO would not or could not use its technology in its own right to target any person or organization, including this individual.”
With terrorists and criminals increasingly using secure communications technology to evade government surveillance, NSO markets its offerings as powerful tools to support the national security aims of its government-customers and help law enforcement work around the “going dark” problem.
But human rights groups and independent researchers say NSO’s Pegasus software has been detected in dozens of countries, sometimes in places where state agencies have a history of deploying spyware against political dissidents and activists.
NSO, which generated $250 million in revenue last year, said its technology is licensed only to authorized government agencies for specific security threats or investigations. It also said its clients undergo a “rigorous licensing and vetting process.”
WhatsApp said it has briefed several human rights groups to help them notify activists who may have been targeted. The company also has notified the U.S. Justice Department.
A London-based lawyer, who declined to be named because of the sensitivity of the situation, said he’d received several suspicious video WhatsApp calls beginning in March that would ring for a few seconds before cutting out. He said he reported the suspicious content to Citizen Lab at the Munk School of Global Affairs at the University of Toronto, which worked with WhatsApp to determine the source of the activity.
He said he was told the attack was a new way of delivering the Pegasus spyware with “zero click.” He said the calls appeared to have originated outside of Britain and that the last attempt was two days ago.
“It’s possible in general to use the Pegasus spyware responsibly, but all the cases we have found are pretty shockingly abusive,” said Bill Marczak, a senior research fellow at Citizen Lab. “It’s really a Wild West out there. At the end of the day it’s civil society that is getting hurt by this. We need real regulation” for the commercial sale of global surveillance tools, he said.
As news of the platform hack began to spread worldwide, WhatsApp encouraged its users to update to the latest version of the app to protect their privacy. The latest version is thought to better protect users against hacking.
But not all users were familiar with how to update the app, leading to a spike in people frantically Google searching: “How to update WhatsApp?” Around the world, people also searched for more information about the breach, although it is not yet known how many people were targeted by the hackers.
This article was written by Loveday Morris, Hamza Shaban and Jennifer Hassan from The Washington Post and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to firstname.lastname@example.org.