Just a very quick note to make sure you all have an up to date version of WhatsApp installed!
Reports are that the company’s security teams have confirmed a vulnerability that allows spyware to be installed on user’s devices after just receiving an unanswered call.
No user interaction is required.
You will need to update your application to the latest available version as soon as possible to make sure you’re not affected.
It’s yet another nail in the data and information privacy coffin that parent company Facebook currently sits in. I would urge you to make sure that you always stay on top of your updates on all devices, they will normally be safer and more stable (make sure you back up your device and files whenever possible).
If you want more info on the vulnerability, read on…
What’s the issue here then…
The security teams at WhatsApp (Facebook) were scrambled over the weekend to patch the vulnerability, designated CVE-2019-3568. It’s effectively a surveillance Zero-day that can needs no user interaction and cleans up after itself so you are none the wiser.
It’s caused by a classic buffer overflow weakness found within the voice over IP (VoIP) stack of the App itself. When it’s in, the malicious code can traverse your device for files, photos, contacts, eavesdrop on calls and of course, read your messages.
While no one has directly taken responsibility for the spyware attack yet, it’s been tabled that an Israeli company, the NSO group, are the ones to blame. The NSO group has previously boasted the capabilities of a no-click install software for some time, maybe they have just proved their claims?
Of course, and perhaps rightly so, there has been a sharp and strong denial by the NSO group around their involvement. I have no doubt legal recourse is already underway both for and against the organisation. (the group has previously been targeted by law practitioners for other, ahem, questionable activities, none of which are proven….)
Who’s the target?
Anyone really. It’s a deliberate and direct attack, so you’d probably need to have upset someone, though these things rarely stay in the shadows of “private and personal” attacks for long.
There has been some mention that top lawyers, CEO’s and government officials are the real target, but any on of the 1.5 billion users, on any operating system, could be at risk until they patch.
Make sure your software and applications are always up to date! They don’t pay their development teams money to release updates with nothing in them, and they are normally constantly patching new issues. Just make sure to back your files up first…..
If you’d like more information, get in touch in the comments.
If you want professional advice around such security issues as CVE-2019-3568, get in touch with our people over at Centric Security using their contact email firstname.lastname@example.org