The National Cyber Security Centre (NCSC) has called on users to update WhatsApp after it emerged that attackers had discovered a security flaw which enabled them to compromise the integrity of the encrypted messaging platform.
The Facebook-owned service, which has around 1.5 billion users, confirmed on Tuesday (14 May) that it had identified a vulnerability in the app that let attackers install spyware by leaving missed calls on target’s phones.
WhatsApp introduced a series of infrastructure changes late last week, which may have thwarted an attempt to snoop on a British lawyer over the weekend, according to a researcher at the University of Toronto who spoke to the Financial Times.
But the company also rolled out a security update for users on Monday, and urged them install it. NCSC said it always recommends that users apply security updates “quickly” and switch on automatic updates.
The exploit is believed to have been developed by a controversial Israeli firm called NSO Group. Amnesty International is currently calling on the Israeli government to withdraw the company’s export licence for allegedly selling its products to “governments who are known for outrageous human rights abuses”.
NSO said that its technology is “licensed to authorised government agencies for the sole purpose of fighting crime and terror”. “The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.”
It added: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”
The vulnerability meant that attackers were able to ship malware by leaving a missed call on WhatsApp’s call function. It was a “flaw in the signalling” that left targets vulnerable, Alan Woodward, a professor of cyber security at Surrey University, told NS Tech.
“When you make a voice over IP call, before it gets to the point of digitising your voice, various signalling messages get sent backwards and forwards. It was a flaw in that part of the app that was being exploited.”
Sign up to Emerging Threats, our weekly cyber security newsletter
“Unless certain checks are done, using carefully crafted inputs the application can overrun the memory it should be using and gain access to memory it should not have access to,” Woodward added. “This way you can potentially access malicious code or get something which sits in the area of memory you were not supposed to access, to misbehave in some way.”
What remains unclear, however, is whether the attackers “were able to pivot out of the app”, said Woodward, noting that this is normally difficult to do as apps operate in so-called sandboxes. WhatsApp is yet to respond to NS Tech’s query about the matter. The firm said that the attacks targeted a select number of users, but has not yet disclosed how many.