Messaging service WhatsApp recently confirmed that a major vulnerability allowed hackers to install remote surveillance software on phones and other devices. The hackers used the vulnerability to target several users and was almost certainly the work of “an advanced cyber-actor.”
WhatsApp carries a strong reputation as a secure messaging app. But now the Facebook-owned messenger is under scrutiny. How did the hackers breach WhatsApp? And is WhatsApp still safe to use?
WhatsApp Security Breach Allows Malware Installation
The vulnerability exploits WhatsApp’s voice calling to ring the target’s device. Once the call starts, an advanced surveillance tool installs. The victim doesn’t need to answer the call; the malware still installs. After the incoming call finishes, the surveillance tool wipes any notifications and call logs relating to the malware.
The spyware itself is capable of trawling through and collecting phone call data, messages, photos, and videos, as well as activating and recording the microphone and camera. It is an advanced, dangerous piece of malware that could cause significant damage. However, while the malware itself and the exploitation of WhatsApp is advanced, the attack leveraged a pretty old method of attack.
WhatsApp owner Facebook published a security advisory describing the hack as “A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”
A buffer overflow is where a program, or in this case, app, accesses system memory it should not have access too. If an attacker can figure out how to run code in the unauthorized memory area, they can execute something malicious, which is what has happened here.
Which Devices Does the WhatsApp Hack Affect?
All of them, simply put.
If your phone has WhatsApp or WhatsApp Business installed, the vulnerability could affect your device. That means Android, iOS, Windows 10 Mobile phones, and Tizen devices.
Who Is Behind the WhatsApp Hack?
There are strong suspicions that the Israeli cybersecurity company, NSO Group, is behind the hack. The NSO Group has a strong history of producing such advanced malware, as well as having the expertise to execute something of this nature.
The WhatsApp security breach reads like a nightmare, a dystopian world of tech-enabled total surveillance – targeted at lawyers, dissidents and human rights activists. When were ministers informed? How many UK users are affected? Have they been notified? My Urgent Question… pic.twitter.com/eIgbnqqVMi
— Tom Watson (@tom_watson) May 15, 2019
Facebook told the Financial Times that the “attack has all the hallmarks of a company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.”
The statement is referencing the Pegasus spyware the University of Toronto’s Citizen Lab discovered in 2016. Citizen Lab uncovered Pegasus after the highly advanced malware was used to target prominent human rights activist, Ahmed Mansoor. Pegasus used three individual zero-day exploits to conduct a remote iPhone jailbreak. It forced Apple to release an unexpected iOS update to patch the vulnerabilities.
Aside from the alternative method of attack, the WhatsApp hack demonstrates another worrying development. The malware delivered by the WhatsApp exploit didn’t require a click or tap to install. The malware is silent, installs itself, and then deletes the evidence.
The NSO Group released a statement attempting to distance themselves from the WhatsApp hack.
“NSO’s technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions.
“We investigate any credible allegations of misuse, and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.
“NSO would not or could not use its technology in its own right to target any person or organization, including this individual.”
Am I At Risk of the WhatsApp Hack?
Honestly, it is highly unlikely that you will become a direct victim of the WhatsApp hack.
Attacks of this nature are rare, usually the work of a state-backed threat actor. (What is a nation-state threat actor, anyway?) The orchestrators only use such an attack to target specific individuals or organizations. Once security researchers discover and analyze the attack, it is usually as good as done. The vulnerable or exploited service, app, program, or otherwise will take action and patch the issue, ensuring no one can use it.
Therefore, you can safely assume that you are not a target.
The few targets identified confirm this theory: an Amnesty International researcher, a UK-based human rights lawyer, and others.
It’s Time to Update WhatsApp
That said, it is time to update WhatsApp on your devices. WhatsApp rolled out an urgent update in the days immediately following the hack. The update patches the vulnerability.
How to Update WhatsApp on Android
- On your device, open the Google Play Store
- Tap the menu icon in the top-left corner
- Open My Apps & Games
- Check to see if WhatsApp has already updated; it will appear near the top of your apps list if so
- Otherwise, find WhatsApp on the list and select Update
How to Update WhatsApp on iOS
- On your device, open the App Store
- Tap Updates
- Check to see if WhatsApp has already updated; it will appear in the list of apps with an Open button
- If not, the button will say Update; tap the button to install the WhatsApp update
Is WhatsApp Still Safe to Use?
The big question. Can you still use WhatsApp safely?
Despite how certain publications attempt to frame the WhatsApp hack, the app is still safe to use (after you update!). As you see from the identified targets, unless you fit that bracket, you are not going to encounter an attack of this type.
The post-WhatsApp hack issue lies with poor reporting. WhatsApp carries a reputation for protecting privacy because it uses end-to-end encryption to secure your communication. The fact of the matter is that this attack didn’t breach the encryption.
Publications that frame the attack in this manner only seek to capitalize on the misunderstandings and murkiness already present in a situation with such high-level threat actors.
Vehicle hit by Hellfire missile shows that wearing your seat belt is largely pointless pic.twitter.com/7GnZ17xo0K
— MalwareTech (@MalwareTechBlog) May 14, 2019
The WhatsApp hack was a highly specialized and almost invisible attack that WhatsApp and Facebook did well to spot before more targets were compromised. Presenting it in any other manner, as if it is like a regular phishing attempt or a drive-by malware download, is irresponsible.
Thinking about leaving WhatsApp? Try these WhatsApp alternatives that guard your privacy.