A vulnerability in Facebook’s WhatsApp could allow attackers to install spyware on impacted smartphones.
The encrypted messaging app WhatsApp was acquired by Facebook in 2014 and is used by nearly 1.5 billion people worldwide.
According to a Financial Times report, WhatsApp discovered earlier this month that attackers were able to install surveillance software, Pegasus mobile spyware (made by an Israeli company NSO group), onto iPhones and Android phones.
Bad actors could call up targets using the application’s phone call function. Furthermore, malicious code could even be transmitted without the target victim answering the call. The malware could be used for surveillance on phone calls made over the app or gain access to data stored on the device.
Facebook published a security advisory and patch for the WhatsApp vulnerability CVE-2019-3568:
“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.”
Additional statements were made by WhatsApp and NSO related to the confirmed issue, as noted in a CNBC report late Monday.
The following product versions are impacted by the vulnerability:
- Android prior to v2.19.134
- WhatsApp Business for Android prior to v2.19.44
- WhatsApp for iOS prior to v2.19.51
- WhatsApp Business for iOS prior to v2.19.51
- WhatsApp for Windows Phone prior to v2.18.348
- WhatsApp for Tizen prior to v2.18.15.
Users are encouraged to upgrade their devices to the latest version of WhatsApp as soon as possible.