Facebook shared a security advisory on Monday, May 13th warning WhatsApp users that an “advanced cyber actor” has been spreading spyware through the app by taking advantage of a buffer overflow vulnerability. All that it took to install the spyware on a target’s phone was calling them through the WhatsApp mobile app.
According to the UK’s National Cyber Security Centre, WhatsApp has announced that a small number of users have been affected and that everyone who uses the app should update it from their respective app stores as soon as they can. There’s a chance that your app already updated itself automatically, but check to be sure.
Here are all of the versions of the app that have been affected, according to WhatsApp’s advisory:
- WhatsApp for iOS prior to v2.19.51
- WhatsApp for Tizen prior to v2.18.15
- WhatsApp for Android prior to v2.19.134
- WhatsApp Business for iOS prior to v2.19.51
- WhatsApp Business for Android prior to v2.19.44
- WhatsApp for Windows Phone prior to v2.18.348
Among the first to report on the vulnerability, the Financial Times claims that the spyware in question was developed by Israeli technology firm NSO Group, which has been in the news sporadically in recent years. The vulnerability was first discovered earlier this month, but was used as recently as Sunday, according to Citizen Lab:
WhatsApp has just pushed out updates to close a vulnerability. We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer. Now is a great time to update your WhatsApp software https://t.co/pJvjFMy2aw https://t.co/e8VQUraZWQ
— Citizen Lab (@citizenlab) May 13, 2019
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp told the Financial Times when asked about the hack on Monday evening. “We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.”
As for NSO, a spokesman for the firm says that it “would not, or could not” use its Pegasus spyware to target “any person or organisation.” That may well be true, but someone is using it for nefarious purposes.
