Facebook has discovered a dangerous WhatsApp vulnerability that lets sophisticated attackers install spyware via an unanswered voice call. According to the Financial Times, these calls often disappear from logs, so users can be unaware their device is compromised.
Attackers reportedly send SRTPC packets to target phones until it causes a buffer stack overflow. A WhatsApp spokesperson said it became aware of the issue in March and has fixed the issue in the app’s latest update. Users must be on version 2.19.51+ on iOS and 2.19.134+ on Android to be safe.
The spokesperson said an unknown number of people were affected by the hack, but a number at least in the dozens would not be inaccurate. Concerningly, the attack code is thought to have routes in Israeli security company NSO Group, which sells spyware to governments and is owned by American firm Francisco Partners. NSO denies it had any direct role in the attack.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not, or could not, use its technology in its own right to target any person or organization,” it said.
Humans Rights Abuse Accusations
Meanwhile, WhatsApp says it has “all the hallmarks” of a private company working with governments. One of the victims was allegedly a UK humans rights lawyer, who NSO Group again denies it targetted.
NSO has previously been criticized for its Pegasus malware, which government can use for microphone, camera, email, and message access on a device. Ongoing lawsuits claim NSO Group helped clients violate human rights. One of those accuses the firm of aiding the hack and therefore murder of journalist Jamal Khashoggi.