Facebook posted a security advisory for a buffer overflow vulnerability in its subsidiary WhatsApp that could allow an attacker to install Pegasus spyware on victims devices.
The Israeli NSO group developed spyware allows its users to turn on a phone’s camera and mic, scan emails and messages, and collect the user’s location data and can be exploited by injecting the malware by simply calling the target without a trace and without the need for the victim to answer their device.
The vulnerability affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” said WhatsApp in a statement.
StarLeaf CTO William MacDonald called the vulnerability an extremely severe security hole for similar reasons.
“Despite instant messaging becoming a growing part of our culture of communication, social platforms are often unwisely used for the businesses,” MacDonald said. “This example clearly demonstrates that there are many organizations aggressively hunting for flaws in consumer applications for commercial gain and for use by third parties.”
MacDonald added that because consumer apps are not designed for business usage, it is the responsibility of every employee to only adopt the right solutions to minimize risk and protect users’ data (company & customer).
Wandera Vice President of Engineering Mike Campin considered the attack “deeply worrying” and said it “shows how even the most trusted mobile apps and platforms can be vulnerable.”
“While this attack is based on a previously identified exploit known as Pegasus, the fact that it has been repackaged into a form that can be delivered via a simple WhatsApp call has shocked many,” Campin said.
Campin added that despite the app not typically being used as a corporate messaging application, it is widely used on both employees’ personal devices and on corporate-is