WhatsApp Security Flaw Enables Malware

Facebook-owned WhatsApp on Tuesday warned users to upgrade the application to plug a security hole reported by Financial Times, that allowed for the injection of very sophisticated malware that could be used to spy on journalists, activists, and others.

WhatsApp said it released an update to fix the latest vulnerability in the messaging app, used by 1.5 billion people around the world.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a company statement said.

The WhatsApp spyware is sophisticated and “would be available to only advanced and highly motivated actors,” the company said, adding that “a select number of users were targeted.”

“This attack has all the hallmarks of a private company that works with a number of governments around the world” according to initial investigations, it added but did not name the firm.

The spyware appears to be related to the Pegasus software developed by Israeli-based NSO group, which is supplied to law enforcement and intelligence services, according to Washington-based analyst Joseph Hall.

The spyware “could have gotten into someone’s hands” outside legitimate channels for nefarious purposes, Hall, chief technologist at the Center for Democracy and Technology, told AFP.

“It’s unclear who is doing this.”

Security researchers have found that Android and Apple phones can be infected with the spyware with a simple audio call through WhatsApp, even if the user does not answer, according to Hall, making detection more complicated, and its encryption feature has encouraged activists, journalists, and others for sensitive information.

Hall said the unpatched security flaw opens the door to spying by rogue entities on human rights activists, journalists, and others.

“The potential danger is quite large,” he said.

“These kinds of apps that do encrypt messaging and encrypted phone calls tend to store the most secretive data that people need to protect.”

He said dissidents and pro-democracy activists seeking to remain anonymous rely on these encrypted applications, as do journalists when speaking with sources about sensitive information.

Facebook did not comment on the number of users affected or who targeted them and said it had reported the matter to US authorities.

It also informed EU authorities in Ireland about the “serious security vulnerability,” according to a statement by the country’s Data Protection Commission (DPC).

The revelation is the latest in a series of issues troubling WhatsApp’s parent Facebook, which has faced intense criticism for allowing users’ data to be harvested by research companies and over its slow response to Russia using the platform as a means to spread disinformation during the 2016 US election campaign.

WhatsApp said it had briefed human rights organizations on the matter, but did not identify them.

The NSO Group came to prominence in 2016 when researchers accused it of helping spy on an activist in the United Arab Emirates.

Its best-known product is Pegasus, a highly invasive tool that can reportedly switch on a target’s phone camera and microphone, and access data on it.

The firm said Tuesday it only licenses its software to governments for “fighting crime and terror.”

The NSO Group “does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions,” it said in a statement to AFP.

“We investigate any credible allegations of misuse, and if necessary, we take action, including shutting down the system.”

Researchers at the University of Toronto’s Citizen Lab have claimed that despite NSO’s statement, Pegasus spyware is being misused by many governments.

“Pegasus appears to be in use by multiple countries with dubious human rights records and histories of abusive behavior by state security services,” the researchers said in a report last year,

Amnesty International said meanwhile it would join a legal action this week in Israel by some 30 activists to revoke NSO’s export license, claiming that one of its own staff members was targeted by a “particularly invasive” variant of the software in June 2018 via WhatsApp.

“NSO Group sells its products to governments which are known for outrageous human rights abuses, giving them the tools to track activists and critics,” said Danna Ingleton, deputy director of Amnesty Tech.

“As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world are at risk.”

Share this article:
A deep interest in foreign policy & geopolitical events. Also a staunch supporter of those who fight extremism of any kind. "If you see the world in black and white, you're missing important grey matter." -- Jack Fyock

Notice: All comments represent the view of the commenter and not necessarily the views of AMN.

All comments that are not spam or wholly inappropriate are approved, we do not sort out opinions or points of view that are different from ours.

This is a Civilized Place for Public Discussion

Please treat this discussion with the same respect you would a public park. We, too, are a shared community resource — a place to share skills, knowledge and interests through ongoing conversation.

These are not hard and fast rules, merely guidelines to aid the human judgment of our community and keep this a clean and well-lighted place for civilized public discourse.

Improve the Discussion

Help us make this a great place for discussion by always working to improve the discussion in some way, however small. If you are not sure your post adds to the conversation, think over what you want to say and try again later.

The topics discussed here matter to us, and we want you to act as if they matter to you, too. Be respectful of the topics and the people discussing them, even if you disagree with some of what is being said.

Be Agreeable, Even When You Disagree

You may wish to respond to something by disagreeing with it. That’s fine. But remember to criticize ideas, not people. Please avoid:

  • Name-calling
  • Ad hominem attacks
  • Responding to a post’s tone instead of its actual content
  • Knee-jerk contradiction

Instead, provide reasoned counter-arguments that improve the conversation.

Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Ilya Ilyayev
Famed Member
Ilya Ilyayev
2019-05-17 11:39

These virus spreading “apps” are pert of the NSA/CIA Zionist global police state and surveillance tools and should be banned in independent nations.

2019-05-19 05:44

If you’ve been infected, you’ll have to reset your device to factory. Better yet, get yourself a Purism Libram 5, crowd sourced and the most secure and private consumer mobile on earth. https://puri.sm/products/librem-5/