A major WhatsApp security vulnerability emerged Sunday. The loophole allowed hackers to inject spyware via voice calls made on the popular messaging app on both iPhones and Android devices (via Financial Times).
Malicious Code Via WhatsApp Voice Calls
Hackers could transmit Spyware even if a user did not answer the voice call. WhatsApp discovered the vulnerability earlier this month. Engineers in both San Francisco and London worked to close the loophole in the application.
Facebook bought WhatsApp in 2014. The messaging app now has 1.5 billion users. It has always put a large focus on privacy. The company said:
This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.
A security advisory issued by the parent company said:
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
Code Created by Israeli Firm
Israeli firm NSO developed the malicious code. There is a concern that journalists and human rights advocates, amongst others, could be put at risk by it. The company said that “under no circumstances would [it] be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”