Everyone with WhatsApp on their phone should update to the latest version of the app as soon as possible, the company said on Tuesday.
Used by 1.5 billion people around the world, the Facebook-owned messenger app disclosed a vulnerability yesterday that allowed hackers to remotely install spyware on iOS and Android phones by placing voice calls on WhatsApp. The latest update is said to fix the flaw and secure the app.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesman told CNBC on Tuesday.
The WhatsApp vulnerability is a so-called “zero click zero day”, a previously undiscovered vulnerability that can infect a target’s phone with no action from the victim. Most previously discovered vulnerabilities of this kind required the victim to click a link in order to be infected.
With no need to click anything or make any mistakes in order to trigger the attacker’s success, being targeted may be almost a fait accompli. The difference here is that the Israeli firm believed to have created the exploit, NSO Group, appears to have been caught.
These kinds of vulnerabilities are particularly valuable—and expensive—and have been heavily marketed by NSO Group for at least the last year. (NSO Group has so far not denied that it’s behind the attack.)
WhatsApp and an increasing number of messenger apps offer end-to-end encryption. The NSO exploit gets around that protecting by infecting your phone and accessing information before it’s encrypted. This does not mean end-to-end encryption is useless, as some hot take artists have suggested.
After all, NSO exploits are expensive, highly targeted, and have a limited shelf life that ends as soon as the vulnerability is patched, as WhatsApp says it did today. As opposed to targeted attacks, end-to-end encryption protects against mass eavesdropping.
This does mean that end-to-end encryption is not a complete panacea that would solve all possible cybersecurity problems — which is an idea common sense and industry experts told us a long time ago. There is no such thing as a perfect solution, but that doesn’t mean the solutions we have are anything close to useless.
Turning on automatic updates for both apps and the operating system is one of the easiest and most effective ways to secure your device as quickly and permanently as possible.
Updating and being aware of threats is important, but so too is keeping a healthy perspective. These exploits cost a lot of money to develop and buy. We don’t know how many victims there are, but history and common sense tells us the exploit is being used very selectively to target a small handful of unfortunate individuals and that you are almost certainly not among them.
If you do think you were being targeted based on those indicators of compromise, contacting a group like the Electronic Frontier Foundation or CitizenLab may be a smart next step.
What are the IOCs? Repeated WhatsApp calls from a number that is not in your contact list that crashes the app. If you've seen this behavior in your phone recently, contact me. https://t.co/FI5csHgJot
— Eva (@evacide) May 13, 2019
This hack, first reported by the Financial Times reported on Monday, was used to target a U.K. human rights lawyer who reported suspicious behaviour — strange WhatsApp calls from Sweden — to the human rights and technology group CitizenLab. From there, a warning was issued to WhatsApp, according to a report in Forbes.
The exploit appears to have worked but was noticed due to a series of early morning international voice calls.
NSO Group is a company made up largely of Israeli intelligence veterans who develops hacking products to sell to governments around the world. They’ve been at the centre of an unprecedented spotlight in the last few years because their products have repeatedly been found to target human rights activists, lawyers, journalists, and even children. Each time, NSO has claimed they are not responsible for what their customers do.
The human rights lawyer targeted in the United Kingdom was advising Mexican journalists who are suing NSO Group for hijacking their phones, Forbes reported.