NEW DELHI: Facebook-owned WhatsApp, which has more than 1.5 million global users, requested its customers on Tuesday to upgrade the app to its latest version after a report expressed concern over malicious spyware.
The spyware, created by an ‘advanced cyber actor’ has inflected multiple targeted mobile phones through the popular app without any user intervention through in-app voice calls, the company had said. According to Financial Times, the actor has been identified as Israel's NSO Group. A WhatsApp spokesman later said: "We're certainly not refuting any of the coverage you've seen."
A spokesperson of the company told Reuters, “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.
How was the security flaw misused
The attackers used WhatsApp's voice calling feature to call up a victim's device, that in-turn installed the surveillance software. The surveillance software would be installed even the receiver didn't pick up the call. According to FT, the call would often disappear from the device's call log.
WhatsApp published an advisory to security specialists, in which it described the flaw as: "A buffer overflow vulnerability in WhatsApp VOIP (voice over internet protocol) stack allowed remote code execution via specially crafted series of SRTCP (secure real-time transport protocol) packets sent to a target phone number."
Prof Alan Woodward from the University of Surrey Tweeted that it was a "pretty old-fashioned" method of attack.
"In a buffer overflow, an app is allocated more memory than it actually needs, so it has space left in the memory. If you are able to pass some code through the app, you can run your own code in that area," he said.
Who was attacked
WhatsApp said it was too early to be sure how many users were affected.
Amnesty International said this attack was one the human rights groups had long feared was possible.
TechCrunch said: "This is, as you can imagine, an extremely severe security hole, and it is difficult to fix the window during which it was open, or how many people were affected by it."
Ahmed Zidan, from the Committee to Protect Journalists said the attack was aimed at journalists, lawyers activists and human rights defenders.