A select number of WhatsApp users around the world may have had their phones infected by a sophisticated government-grade spyware, with human rights activists being reported as prime targets.
On May 14, 2019, four days after WhatsApp had rolled out its latest release, Financial Times reported about a vulnerability in the older version of the app that allowed attackers to inject spywares on phones through a simple in-app missed call.
Following Financial Times' report, WhatsApp came up with a statement that acknowledged the threat in its older versions and encouraged its users to update their apps.
BOOM also received the following message on its WhatsApp helpline from one of its subscribers:
Upon investigating the claims in the message, BOOM found them to be true.
According to WhatsApp, "the attack has all the hallmarks of a private company that reportedly works with governments to deliver spyware that takes over the functions of mobile phone operating systems".
The spyware used to infect the phones through missed in-app calls on WhatsApp has been identified as Pegasus, made by an Israeli cyber intelligence company called NSO Group.
Thwarting Privacy With Pegasus
According to BBC, NSO is an Israeli-based American-owned company that "specialises in creating what it calls tools against crime and terrorism". However, human rights activists have claimed that NSO's spywares have been constantly used to target them instead, in collusion with governments.
NSO - which is reportedly valued at $1bn currently - came under scrutiny in 2016, when one of its spyware was used in an attempt to hack the iPhone of a UAE-based human rights defender, Ahmed Mansoor.
Apple had to quickly roll out a new bug fix, following which they encouraged users from all over the world to update their operating systems.
Financial Times recently reported that NSO's flagship spyware Pegasus - whose sales are regulated by the Israeli government - has been recently updated to use a vulnerability in WhatsApp's in-app voice call to 'drop the payload' (inject the spyware) inside a mobile phone.
"Within minutes of the missed call, the phone starts revealing its encrypted content, mirrored on a computer screen halfway across the world. It then transmits back the most intimate details such as private messages and location, and even turns on the camera and microphone to live-stream meetings."
- Financial Times
It was only in the month of May that WhatsApp developers detected the loophole and decided to close it with the latest bug fix in Version 2.19.134, that was rolled out globally on May 10, 2019.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices. We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users."
- WhatsApp Spokesperson
No details about vulnerability in its older versions or the threat from the Pegasus spyware were mentioned in the description of the new release.
So, Should WhatsApp Users Be Worried?
WhatsApp was not able to share numbers with regards to how many people were affected, due to the sophisticated nature of the attacks. "We believe a select number of users were targeted through this vulnerability by an advanced cyber actor," the company stated.
WhatsApp also told Reuters that the latest attack could have been used to target human rights groups. While NSO did not comment specifically on the current attack, it told Reuters that it would investigate any "credible allegations of misuse" of their technology.
Meanwhile, one day before the news broke out on the WhatsApp threat, Amnesty International had supported an appeal to take the Israeli Ministry of Defence to court, to demand the revocation of NSO Group's export license.
"NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics."
- Danna Ingleton, Deputy Director of Amnesty Tech. Source : Amnesty International
How To Update WhatsApp?
WhatsApp users have been encouraged to update their apps to the latest version - V 2.19.134.
Here is how Android and iPhone users can easily update the popular messaging app.
Android
If you are an android user, follow these steps:
- Open Play Store
- Tap on Menu
- Select "My apps and games"
- Tap on "Update" next to WhatsApp messenger
iPhone
If you are an iPhone user, follow these steps:
- Open App Store
- Tap on Updates
- Tap on "Update" next to WhatsApp messenger