How WhatsApp exposed its users to a spyware attack

The breach was first reported by Financial Times, indicating that the spyware gets installed on a user’s phone through calls, even if the user misses a call. And to stay undetected, the spyware erases the incoming call from WhatsApp’s call logs. The report further claims that the malicious code behind the spyware attack was developed by the NSO Group, an Israeli software company that has recently been accused by Amnesty International for making spyware products used to target human rights activists worldwide.

In CVE (common vulnerabilities and exposures) notice, WhatsApp identified the flaw as a “buffer overflow" vulnerability in WhatsApp’s “VOIP stack", which allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

In an official blog post, Cloudflare, a US-based web performance and security company, explained that a buffer overflow attacks occurs when certain memory areas of a running process are overwritten with data beyond the buffer’s capacity. Buffers are usually designed to hold certain amount of data, unless the app using the buffer has been programmed to discard old data and make room for new data in case of an overflow.

Attackers can exploit this to deliberately feed a carefully crafted input into a program, causing the program to store the input in a buffer that doesn’t have enough space. This allows them to overwrite areas with executable code and replace them with their malicious codes, changing how the program works.

A Buffer is an area of the device’s physical memory, particularly RAM (random access memory) where data is stored temporarily to improve performance. They are used frequently during online video streaming for smoother experience.

Unlike Windows OS, Unix-based operating systems like iOS and Android use a sandbox design, which separates the app layer from the rest of the system, making them more difficult to attack. “The attack installs an application called Pegasus on the target device, which can potentially escape the application sandbox implemented by the OS and read text messages, activate the microphone and camera, and collect sensitive information stored on the device," points out Jaspreet Singh, partner, information security, EY.

While WhatsApp is yet to confirm how many users were exactly affected, they believe only a select number of users were targeted.

“The publicly available information shows that an attacker could execute arbitrary code within the WhatsApp application, thereby gaining access to a wide range of data stored in the device memory, such as the correspondence archive, as well as the camera and microphone," says Victor Chebyshev, anti-malware expert at Kaspersky Lab.

In an official statement to the press, WhatsApp claims that it identified the vulnerability, which could enable an attacker to insert and execute code on mobile devices, early this month, and promptly fixed it. WhatsApp has made changes to the infrastructure to deny the ability for this attack to take place. Also, they are encouraging users to update the app and also keep their mobile OS up to date.