WhatsApp vulnerability allowed hackers to snoop on users’ calls and messages via spyware

Facebook-owned WhatsApp recently confirmed vulnerability in its app that allowed attackers to install malicious spyware that could have been used for surveillance on phone calls made over the app without users’ knowledge.

The vulnerability, which was first reported by The Financial Times, has named Israel’s cyber surveillance company, NSO Group that sells to security companies and governments to fight terrorism, behind the spyware.

According to WhatsApp, the spyware allowed attackers to inject the surveillance software on to both iPhones and Android devices using a single WhatsApp call. In other words, the code developed by NSO could be transmitted even if users did not answer their WhatsApp call. Additionally, the call made in many cases often disappeared from the WhatsApp call logs altogether leaving no room for suspicion for the user. Further, once the spyware is installed, it will be able to turn on the target phone’s camera and microphone as well as scan emails and messages and collect the user’s location data.

When questioned about the Financial Times report, NSO in a statement said its technology “is licensed to authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions.”

The company also mentioned that it does not use the hacking tools itself. “We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”

After learning about the vulnerability, WhatsApp fixed the flaw and issued a patch for customers on Monday urging its users to update the app.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesperson said in a statement. “We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”

The vulnerability seems to affect Android prior to version 2.19.134 and WhatsApp Business for Android prior to version 2.19.44. In case of iOS devices, WhatsApp prior to version 2.19.51 and WhatsApp Business prior to version 2.19.51 seems to have been affected.