WhatsApp users urged to install app update to patch serious spyware vulnerability

Users of WhatsApp could be infected by dangerous spyware just by receiving a call. The spyware, which is thought to  originate from Israeli cyber intelligence firm NSO Group, can be installed just by calling a target -- there is no need for the call to be answered.

A security advisory on the Facebook website does not go into much detail about the exploit, which takes advantage of a buffer overflow vulnerability. WhatsApp says it was discovered earlier this month, and with 1.5 billion users, there are a huge number of people that are potentially affected.

See also:

• New York attorney general to investigate Facebook for scraping 1.5 million users' email contacts
• How to delete the contacts that Facebook may have scraped from you
• Facebook suffers huge outage, along with WhatsApp and Instagram

News of the security hole came via the Financial Times, and WhatsApp says that "this attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems". It went on to say that it has "briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society".

An advisory from Facebook describes the vulnerability (CVE-2019-3568): "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number".

The company explains that the problem affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

In a statement, a WhatsApp spokesperson said:

WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices. We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.

Facebook says that a server-side patch was pushed out on Friday, and that on Monday an app update was made available to users. If you are a WhatsApp users, now is the time to check for updates and get the latest patch installed.

Image credit: MichaelJayBerlin / Shutterstock