WhatsApp Vulnerability Lets Attackers Deploy Spyware via Unanswered Voice Calls

A WhatsApp vulnerability lets sophisticated attackers install malware on target devices with a degree of stealth. The attack reportedly has roots in security firm NSO Group.

has discovered a dangerous vulnerability that lets sophisticated attackers install via an unanswered voice call. According to the Financial Times, these calls often disappear from logs, so users can be unaware their device is compromised.

Attackers reportedly send SRTPC packets to target phones until it causes a buffer stack overflow. A spokesperson said it became aware of the issue in March and has fixed the issue in the app's latest . Users must be on version 2.19.51+ on iOS and 2.19.134+ on Android to be safe.

The spokesperson said an unknown number of people were affected by the hack, but a number at least in the dozens would not be inaccurate. Concerningly, the attack code is thought to have routes in Israeli company NSO Group, which sells to governments and is owned by American firm Francisco Partners. NSO denies it had any direct role in the attack.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its , which is solely operated by intelligence and law enforcement agencies. NSO would not, or could not, use its in its own right to target any person or organization,” it said.

Humans Rights Abuse Accusations

Meanwhile, WhatsApp says it has “all the hallmarks” of a private company working with governments. One of the victims was allegedly a UK humans rights lawyer, who NSO Group again denies it targetted.

NSO has previously been criticized for its Pegasus malware, which government can use for microphone, camera, email, and message on a device. Ongoing lawsuits claim NSO Group helped clients violate human rights. One of those accuses the firm of aiding the hack and therefore murder of journalist Jamal Khashoggi.

Users can download the latest WhatsApp from the App Store and Google Play Store.