WhatsApp fixes bug that allowed spyware spread – update

WhatsApp confirms that it has rolled out a fix for a vulnerability in its app on the server and user side in recent days. That vulnerability made it possible to distribute spyware via WhatsApp calling to spy on smartphone users.

The exact details are not yet known, but the exploit abused the VoIP system in WhatsApp to infiltrate iOS or Android, Financial Times said. Subsequently, it would have been possible to spy on smartphone users. The fix on servers has been in place since Friday, while users could get a patch from Monday. The latest versions in the Play Store and App Store are from Saturday and Monday, but the changelog doesn’t mention anything about the fix.

WhatsApp confirms the exploit to the business newspaper. “This attack has the signs of a private company working with governments to provide spyware that can take over functions of telephone operating systems. We have briefed a number of human rights organizations and shared all the information we can. We are working with them to inform society .”

The spyware would come from the Israeli NSO Group, although it is unknown whether it also found the vulnerability. The attack works by calling someone via WhatsApp. Thus, the spyware can be injected, even if someone does not answer. It is unknown how many people are affected by the spyware. Facebook subsidiary WhatsApp has not yet published any information about the attack except for the statement to the Financial Times.

Update, 7:42: It concerns a buffer overflow vulnerability in WhatsApp’s voip stack, according to a description of the vulnerability. Code execution is possible by sending pre-attack srtcp packets to the phone. It is still unknown how much data malicious parties could see thanks to the attack.