To pull this off this intrusion, the attacker has to carefully manipulate packets of data sent during the process of starting a voice call with a victim; when these packets are received by the target's smartphone, an internal buffer within WhatsApp is forced to overflow, overwriting other parts of the app's memory and leading to the snoop commandeering the chat application.
WhatsApp, which is owned by Facebook, said the attack targeted a "select number" of users, and was orchestrated by "an advanced cyber actor". Once installed on a phone, the software can extract all of the data that's already on the device (text messages, contacts, Global Positioning System location, email, browser history, etc) in addition to creating new data by using the phone's microphone and camera to record the user's surroundings and ambient sounds, according to a 2016 report by the New York Times. Though it is "just" a case of a bug gone terribly wrong, WhatsApp should probably take its role more seriously especially considering how it is being used for sensitive purposes that could even involve lives.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits created to compromise information stored on mobile devices", a WhatsApp spokesperson said in a statement.More news: Liverpool fall short of title despite Mane double against Wolves
Although it refrained from naming the company, WhatsApp is probably referring to NSO Group, an Israel technology firm notorious for developing a spyware program known as Pegasus that's targeted human rights activists, politicians and journalists. The chat service has also changed its IT infrastructure to prevent the attack from ever taking place.
The vulnerability is found in WhatsApp for Android prior to version v2.19.134 and WhatsApp for iOS prior to v2.19.51. The company has rolled out a fix, though it is unclear how many users were affected. NSO Group itself is reported to be investigating the issue.
The messaging company said it has briefed human rights organisations on the finding, and notified US law enforcement to help them conduct an investigation.More news: Hamilton to Ferrari?! - Formula One's biggest driver moves
"NSO's technology is licensed to authorized government agencies for the sole goal of fighting crime and terror. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system", the statement read.
NSO limits sales of its spyware, Pegasus, to state intelligence agencies.More news: China Responds to Trump's New Tariffs, Targeting $60 Billion in US Exports