“A buffer overflow vulnerability in WhatsApp VoIP [voice over IP] stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number,” said Facebook in an advisory on Monday.
“The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.”
WhatsApp appears to have been the inadvertent conduit for a surveillance campaign. Both WhatsApp and Israeli software developer NSO Group have confirmed that an exploit in WhatsApp’s voice calling allowed attackers to load NSO’s Pegasus spyware on to Android and iOS devices. The tool could infect a device even if a user didn’t answer, and the malicious calls would frequently disappear from logs. Pegasus can use the camera and mic in addition to scooping up location and message info.
While the perpetrators haven’t been identified, there are suspicions that it may be a Middle Eastern country trying to clamp down on criticism of its human rights practices. There was a failed attempt on May 12th to compromise the phone of a UK-based human rights lawyer who helped a Saudi dissident in Canada and helped sue NSO for allegedly sharing in the liability of actions perpetrated by its customers. NSO pitches its software to Middle Eastern intelligence agencies, and rights activists in the region have previously received text messages attempting to install Pegasus on their devices.
WhatsApp has alerted human rights groups and the US Justice Department. It also said the effort had “all the hallmarks” of a private company that works with governments to push spyware. NSO, however, rejected the notion that it was involved. “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology,” the company said. It further claimed it screened customers and investigated abuse, including the attack on the UK lawyer.
The flaw should be fixed as you read this. WhatsApp delivered a server-side fix on May 10th, and release patched versions of its apps on May 13th. However, that doesn’t address accusations that companies like NSO, Hacking Team and others have knowingly sold spyware to countries with histories of cracking down on dissidents. There are efforts to curtail these relationships, such as an imminent challenge to NSO Group’s export abilities on May 15th. Unless those efforts are successful, though, it may be difficult to prevent spyware campaigns like this.