WhatsApp vulnerability left iOS open to spyware attack
Facebook-owned WhatsApp on Monday disclosed the recent fix of a VoIP-related vulnerability that allowed nefarious parties to remotely install spyware on both iOS and Android handsets.
Discovered in early May, the now-patched bug in the app's audio call feature allowed hackers to deliver a spyware payload to target devices, a process that worked even if the WhatsApp call recipient failed to answer.
It took WhatsApp less than ten days to patch the security hole following its discovery, reports TechCrunch. How long the vulnerability existed without detection is unknown, but the company confirmed hackers took advantage of the window to install an unknown number of malicious payloads.
Although WhatsApp did not name a specific company or spyware variant associated with the security breach, a statement on the matter points to Israeli vendor NSO Group.
"This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems," WhatsApp said.
NSO develops and markets a well-known and notoriously effective piece of spyware called Pegasus. Typically reserved for government buyers, Pegasus is often used by law enforcement agencies to gain wide access to key device functions and data stores.
Apple has in the past attempted to patch flaws in iOS and macOS leveraged by Pegasus, but NSO continues to uncover and exploit zero-day vulnerabilities in iOS to keep its product functional.
WhatsApp believes only a small number of users were impacted by attacks, noting only advanced and highly motivated actors would be capable of leveraging the bug, the report said.
The company alerted the U.S. Justice Department and various human rights organizations after discovering the vulnerability, and urges users to update their respective app versions to protect against future attacks.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," WhatsApp said in a statement.
Discovered in early May, the now-patched bug in the app's audio call feature allowed hackers to deliver a spyware payload to target devices, a process that worked even if the WhatsApp call recipient failed to answer.
It took WhatsApp less than ten days to patch the security hole following its discovery, reports TechCrunch. How long the vulnerability existed without detection is unknown, but the company confirmed hackers took advantage of the window to install an unknown number of malicious payloads.
Although WhatsApp did not name a specific company or spyware variant associated with the security breach, a statement on the matter points to Israeli vendor NSO Group.
"This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems," WhatsApp said.
NSO develops and markets a well-known and notoriously effective piece of spyware called Pegasus. Typically reserved for government buyers, Pegasus is often used by law enforcement agencies to gain wide access to key device functions and data stores.
Apple has in the past attempted to patch flaws in iOS and macOS leveraged by Pegasus, but NSO continues to uncover and exploit zero-day vulnerabilities in iOS to keep its product functional.
WhatsApp believes only a small number of users were impacted by attacks, noting only advanced and highly motivated actors would be capable of leveraging the bug, the report said.
The company alerted the U.S. Justice Department and various human rights organizations after discovering the vulnerability, and urges users to update their respective app versions to protect against future attacks.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," WhatsApp said in a statement.
Comments
"WhatsApp believes only a small number of users were impacted by attacks, noting only advanced and highly motivated actors would be capable of leveraging the bug, the report said. “
Are you worth it?
On another we have one of the most popular chat apps, under the management of a company that has bucket loads of cash and programming talent - and it has such serious flaws that an entirely different app could be installed covertly through one of its main features.
Apparently WhatsApp allows for the installation of malicious executables - that is against the Appstore rules and apparently leaked through Apple’s authentication process. So indeed - how many more apps might allow this “unforeseen” code execution leak and will never be reported ?
From the article above:
Anyways, to those talking shit about this app and praising Apple...Apple has had their share of massive vulnerabilities in the past. Go be hypocrites somewhere else.
Apple has had occasional issues and fixed them. Facebook has a very long history of spying on its customers, selling customer data, invading privacy, all the way up to helping foreign actors to influence an election. How dare you compare the two!
Apple is still winning the space with iMessage, IMO. Now get to work on those goalposts!
Nope, just recognize shit when I see it. And when it comes to Facebook properties, that's about all they all -- shit. Like I said, the fellow who just the other day here bragged that WhatsApp had "beaten" iOS in the secure-messaging space was quote full of the same. That's the context of what we're discussing here, son.