On Monday 13 May, Facebook revealed that an “advanced cyber actor” has been spying on some users of its ridiculously popular WhatsApp messaging app, thanks to a zero-day vulnerability that allowed hackers to install spyware, silently, just by calling a victim’s phone.
The vulnerability is now fixed, which means that if you’re one of WhatsApp’s 1,500,000,000 users you need to go to the well and drink up the latest version.
There’s a good chance your app’s already updated itself, but this is a serious vulnerability so we advise you to check all the same.
WhatsApp isn’t exactly shouting about this. The Facebook Security page, WhatsApp’s company website and WhatsApp’s Twitter feed are bereft of information.
The What’s New sections of the app’s Google Play and Apple App Store listings would love you to know that with the latest version of the app you can now see stickers in full size when you long press a notification but couldn’t find room for this is the only version that doesn’t allow remote spying.
Instead, Facebook has done the digital equivalent of pinning a security advisory for CVE-2019-3568 to the back of the toilet door in an unlit basement while nobody was looking. It reads as follows:
Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
What the description is trying to tell you is that some people who knew about this vulnerability used phone calls to vulnerable devices to install spyware that could listens in on calls, read messages and switch on the camera.
The Telegraph reports that a “select number” of users were affected and have linked the WhatsApp-installed spyware to NSO Group – the company behind the notorious spyware-sold-to-governments known as Pegasus.
That description makes the incident sound like an attack against specific individuals rather than an indiscriminate attempt to spy on as many WhatsApp users as possible.
But that doesn’t stop other people abusing the vulnerability in other ways, so you should still update, even if you think you’re unlikely to have been affected by this attack.
What to do?
- If you have iOS. Go to App Store → Updates. If WhatsApp has automatically updated it will say Open next to it, so you don’t need to update it. If it says Update, tap to install the latest version. To check the current version number, go to Settings → Help in the app itself. [Version number at 2019-05-14T22:00Z was 2.19.51]
- If you have Android. Go to Google Play store → My Apps & Games in the menu. If WhatsApp has automatically updated it will say Open next to it, so you don’t need to update it. If it says Update, tap to install the latest version. To check the current version number, go to Settings → Help App Info in the app itself. [Version number at 2019-05-14T22:00Z was 2.19.134]
- If you have Sophos Mobile. If you’re a business using Sophos Mobile, you can check that all your users’ devices are running the latest version of WhatsApp, and remotely update the app where needed.
(Watch directly on YouTube if the video won’t play here.)
Hydra
You closed a backdoor created for us, but we will replace it with two more. We cannot be uninstalled, we cannot be blocked. Your secrets our ours.
Taylor
How to know if my phone has been attacked? And how to undo it?
Paul Ducklin
We made a Naked Security Live video on this topic – I have now added it to the article. HtH.
anonymous coward
Why was there no SEC filing by Facebook for this, if it really was significant? Why is it that the only users seemingly affected are Saudi arms dealers and an Amnesty International lawyer, whose employer routinely spreads disinformation and lies about Israel and the Middle East? Why does the Telegraph blame NSO, without providing a bit of proof? Quoting a few people is not evidence of this vulnerability being used in the wild. Three times the Telegraph claimed that information was provided to law enforcement, but none of the agencies confirmed receiving any information. Why is that?