19 May 2019

WhatsApp flaw let attackers install spyware with a phone call


A vulnerability in messaging app WhatsApp allowed attackers to install spyware onto phones, the Financial Times reported Monday.

The malicious code, developed by Israeli company NSO Group, was installed on both iPhones and Android phones through the app's phone call feature, the newspaper reported. The spyware could be transmitted even if the target victim didn't answer their phone, and the calls often disappeared from users' call logs.

Facebook-owned WhatsApp said the attack has the hallmarks of a private company that reportedly works with governments to deliver spyware that takes over the functions of mobile phone operating systems.

"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," a WhatsApp spokesperson said in a statement.

In 2016, NSO Group was accused of providing spyware to nation-states to steal data from activists' iPhones. The company has said it obeys applicable laws.

NSO said Monday that its technology is licensed to governments to fight crime and terror.

"The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions," NSO said in a statement. "We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.

"Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies," NSO said, adding that it would never use its own technology to target an individual or organizaton.

WhatsApp, which has about 1.5 billion users, reportedly doesn't know how many phones may have been infected with the spyware.

Engineers at the company were working to close the vulnerability Sunday night and issued a patch for customers on Monday, the Financial Times reported. 

WhatsApp said it informed the US Justice Department of the vulnerability last week.

The Justice Department didn't immediately respond to requests for comment.

No comments: