WhatsApp call hack installs spyware on users’ phones

A vulnerability has been discovered in WhatsApp that allows hackers to covertly install spyware on users' phones and track their communications and even location.

The exploit, which was first reported by The Financial Times, affects both iOS and Android devices and was discovered by WhatsApp earlier this month.

The malware is delivered through a voice call on the app that doesn't even require the user to answer in order for it to be installed, According to a "spyware dealer" who spoke to the FT and WhatsApp. The spyware dealer also claimed that the attacker was then able to delete call logs, so the user may have no idea they were targeted.

It's alleged that the malicious code was developed by NSO Group, a secretive firm based in Israel that's known primarily for developing spyware under the codename Pegasus, which was discovered by the University of Toronto's Citizen Lab and cyber security firm Lookout in 2016.

Pegasus, which is sold to third parties such as government agencies, can turn on a phone's microphone and camera, and collect information from emails and messages as well as picking up location data.

As in 2016, this latest attack seems to have been used primarily to target those working in the field of human rights, with the FT reporting that a UK-based human rights lawyer was targeted on Sunday 12 May.

IT Pro contacted NSO Group for comment, but hadn't received a response at the time of publication. However, the organisation told the FT: "Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.

"NSO would not, or could not, use its technology in its own right to target any person or organisation."

Independent security researcher Graham Cluley told IT Pro it's not surprising that a vulnerability like this had been found and exploited in WhatsApp.

"Any complicated piece of software is going to have bugs. Such a widely-used piece of software like WhatsApp is going to have many more determined parties looking closely at it for vulnerabilities and exploits than something that few people use," he said

He also said it's unsurprising that a specific victim profile had been targeted by whoever has deployed the malware, rather than used to capture data on all or most users.

"Attacks like this aren't typically used against a large number of individuals, but a small, targeted group of victims that are of high value to intelligence agencies and governments," he said.

It's currently not known how long the vulnerability has been in place, however, the company issued a patch for its mobile apps yesterday and is urging all users to upgrade to the latest version as soon as possible. It has also taken steps to deny attackers the ability to use this exploit at an infrastructure level.

In a statement issued to IT Pro, a WhatsApp spokesman said: "WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices. We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users."