WhatsApp Discovers ‘Advanced’ Surveillance Hacks

WhatsApp has urged all of its 1.5 billion users to update their software to fix a vulnerability that it said was being actively exploited to implant advanced surveillance tools on users’ devices.

The Facebook-owned company released the fix over the weekend after discovering the vulnerability earlier this month.

The bug was used to implant spyware developed by Israeli developer NSO Group, whose surveillance tools are intended for use by governments and law enforcement agencies, according to an unnamed surveillance software maker cited by the Financial Times.

When attackers rang up a target’s phone, the malicious code would automatically infect the device even if the call was not answered, WhatsApp said in a technical document on the issue.

Update

The attack involved a buffer overflow vulnerability in WhatsApp’s voice over internet protocol (VOIP) stack that allowed remote code execution via a series of specially crafted secure real-time control protocol (SRTCP) packets, WhatsApp said.

The company began rolling out a fix to its servers on Friday, releasing the client update via Google Play on Saturday and on Apple’s App Store on Monday.

WhatsApp’s app store release notes for the latest versions do not mention the security fix.

The company bills its software as providing end-to-end encrypted messaging that can’t be read by outsiders or by WhatsApp itself.

The company acknowledged that the vulnerability had been used to install spyware, without mentioning NSO by name.

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp said in a statement.

“We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”

Targeted attacks

WhatsApp said its own security team initially discovered the bug, and notified human rights groups, select security vendors and the US Department of Justice earlier in May.

The company said it is not yet able to estimate how many WhatsApp users were affected, but that attacks were likely to have been highly targeted and to have affected only select users.

The attacks were carried out by an “advanced cyber actor”, WhatsApp said.

NSO’s flagship product, Pegasus, allows users to take over the target’s microphone and camera and to gather location data.

The company is partly owned by British private equity fund Novalpina Capital, which participated in a leveraged buyout of NSO in February.

NSO said it does not operate Pegasus itself and does not determine how it is used.

“NSO’s technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror,” the group said.

“NSO would not or could not use its technology in its own right to target any person or organisation.”

But Amnesty International, which alleges it has been targeted by NSO’s tools in the past, told the BBC that NSO should be held accountable for the way in which its products are used.

On Tuesday the human rights group is to appear before a Tel Aviv court to call on Israel’s Ministry of Defence to revoke NSO’s export licence.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Norway Plans Temporary Ban On New Crypto Mining Data Centres

Norway reportedly seeks to impose temporary ban on new data centres mining crypto, to conserve…

2 days ago

BBC Warns Perplexity Of Legal Action Over Content Use

British broadcaster BBC alleges US-based Perplexity is reproducing BBC content “verbatim” without its permission

2 days ago

Waymo Applies For New York Testing Permit

Congested streets of New York targetted by Waymo for testing, even though full robotaxis are…

3 days ago

Apple ‘Premium’ Priced Folding iPhones Expected In 2026, 2027

Foxconn is expected to begin a foldable iPhone project later this year, says analyst, with…

3 days ago

Microsoft To Axe Thousands Of Sales Staff – Report

More job losses for Microsoft, after report tech giant is planning to cut thousands of…

3 days ago

SpaceX Starship Explodes On Launch Pad

Another setback? Elon Musk's SpaceX rocket explodes into giant fireball during testing at Starbase facility…

3 days ago