WhatsApp may be expiring for some users, but those folks without worries on that front still have something to worry about. Certain versions of the app are vulnerable to an exploit that installs spyware, developed by Israeli outfit NSO Group, according to reports. And the nasty part is the penetration method — WhatsApp can be infected with nothing more than a missed call.
The call doesn’t have to be answered, according to the Financial Times. Either Android or iOS devices using a vulnerable version of WhatsApp just need to receive the missed call, which often disappears from calls logs. A WhatsApp representative, speaking to Ars Technica, said “[A] select number of users were targeted through this vulnerability by an advanced cyber actor. The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems”.
The exploit could be used, along with NSO Group’s Pegasus program, to turn on an infected phone’s camera and mic, as well as provide access to location data, emails, and messages on the device. Nasty.
Go update. Now. We’ll wait
The good news? WhatsApp is well aware of the vulnerability, which causes a “…buffer overflow vulnerability in WhatsApp VOIP stack [allowing] remote code execution via specially crafted series of SRTCP packets sent to a target phone number”. The exploit was also fixed in an update to WhatsApp’s servers last week Friday, reports Ars Technica, with the fix rolling out to users yesterday. That’s where you come in. If you’re the type to put off app updates as long as possible, this is one that you shouldn’t procrastinate on. You’re statistically unlikely to be a target of this particular security hole but it’s always better to be safe than sorry.