Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

WhatsApp vulnerability left iOS open to spyware attack

Last updated

Facebook-owned WhatsApp on Monday disclosed the recent fix of a VoIP-related vulnerability that allowed nefarious parties to remotely install spyware on both iOS and Android handsets.

Discovered in early May, the now-patched bug in the app's audio call feature allowed hackers to deliver a spyware payload to target devices, a process that worked even if the WhatsApp call recipient failed to answer.

It took WhatsApp less than ten days to patch the security hole following its discovery, reports TechCrunch. How long the vulnerability existed without detection is unknown, but the company confirmed hackers took advantage of the window to install an unknown number of malicious payloads.

Although WhatsApp did not name a specific company or spyware variant associated with the security breach, a statement on the matter points to Israeli vendor NSO Group.

"This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems," WhatsApp said.

NSO develops and markets a well-known and notoriously effective piece of spyware called Pegasus. Typically reserved for government buyers, Pegasus is often used by law enforcement agencies to gain wide access to key device functions and data stores.

Apple has in the past attempted to patch flaws in iOS and macOS leveraged by Pegasus, but NSO continues to uncover and exploit zero-day vulnerabilities in iOS to keep its product functional.

WhatsApp believes only a small number of users were impacted by attacks, noting only advanced and highly motivated actors would be capable of leveraging the bug, the report said.

The company alerted the U.S. Justice Department and various human rights organizations after discovering the vulnerability, and urges users to update their respective app versions to protect against future attacks.

"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," WhatsApp said in a statement.



23 Comments

skippingrock 199 comments · 19 Years

gack, so how can you figure out if the spyware is there or not?

StrangeDays 12980 comments · 8 Years

Bahaha — so much for the argument on another story that Apple “lost” the secure chat platform space, because WhatsApp is more popular and cross-platform than iMessage. Oops. So much winning when you put your privacy into Facecrook’s hands, lol.

baconstang 1160 comments · 10 Years

WhatsApp, Instagram & Facebook.   Lie down with dogs, wake up with who-knows-what.

lkrupp 10521 comments · 19 Years

gack, so how can you figure out if the spyware is there or not?

You have to ask the question, why would the Israelis go through the trouble of installing this on my device? Unless you think you are of interest to that government I wouldn’t worry too much. 

"WhatsApp believes only a small number of users were impacted by attacks, noting only advanced and highly motivated actors would be capable of leveraging the bug, the report said. “ 

Are you worth it? 

macseeker 541 comments · 8 Years

Apple needs to remove the entire universe of facebook apps from the app store. Also needs to find a way of making sure the prior installed apps doesn't work. Apple needs to get serious of its privacy policy.