Zero-day WhatsApp vulnerability could lead to spyware infection

A newly disclosed WhatsApp vulnerability was used in targeted attacks that delivered spyware to victims.

The zero-day vulnerability was discovered by WhatsApp's team earlier this month. The company, which issued a patch on Monday, said in an advisory that "a buffer overflow vulnerability in [the] WhatsApp VoIP [voice over IP] stack allowed remote code execution via [a] specially crafted series of [secure real-time control protocol] packets sent to a target phone number."

In more plain terms, the WhatsApp vulnerability could be used to install malware on mobile devices by simply calling the target device. The victim would not need to answer the call in order for an attack to succeed. According to the Financial Times, which first reported the exploiting vulnerability, the calls used to deliver malware would often disappear from call logs.

A WhatsApp spokesperson wrote via email that the company "discovered this issue while doing security improvements to WhatsApp and noticed abnormal behavior that impacted users. We worked promptly to resolve this matter through changes to our infrastructure and making an update widely available to all users."

WhatsApp informed the U.S. Department of Justice about the flaw last week and made fixes to company servers on Friday in order to prevent more attacks. Patched versions of mobile apps were released today for both WhatsApp and WhatsApp for Business on Android, iOS, Windows Phone and Tizen. WhatsApp also informed Ireland's Data Protection Commissioner -- the EU regulator in charge of potential GDPR violations -- of the vulnerability, despite the company not knowing if any EU user data was affected.

WhatsApp, which is owned by Facebook, has 1.5 billion active users. But a WhatsApp spokesperson wrote via email that the company believes only a "select number of users were targeted" using this WhatsApp vulnerability, and it appeared to be the work of "an advanced cyber actor."

The WhatsApp spokesperson did not attribute the attacks to a specific organization, but said the attacks had "all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems."

The spokesperson also confirmed the company has "briefed a number of human-rights organizations to share the information we can and to work with them to notify civil society."

The Citizen Lab, a research lab at the University of Toronto's Munk School of Global Affairs and Public Policy, confirmed on Twitter that the WhatsApp vulnerability was used in a targeted attack against a human-rights lawyer. The Citizen Lab, which has studied cyber espionage and spyware attacks on human-rights supporters and journalists, did not directly attribute the attacks to a specific group or company.

Marty Puranik, CEO of Atlantic.Net, a cloud hosting provider based in Orlando, Fla., said the situation was "disturbing," because it demonstrated that a private company was able to develop commercial software for spying on WhatsApp users.  

"Specifically, if a way to exploit WhatsApp was marketed/or sold as a commercial solution for governments, yet WhatsApp wasn't able to secure against it in a timely manner," Puranik said, "it calls into question whether there really is any form of secure communication on any platform."