It has been confirmed that hackers had the ability to remotely set up monitoring/spy software on any smartphones and other devices utilizing a significant vulnerability in messaging app WhatsApp (owned by Facebook).

WhatsApp, stated the attack targeted a “select number” of users, and was managed by “an advanced cyber actor”. A fix was rolled out on Friday.

The attack was repotedly developed by Israeli security firm NSO Group, according to a report in the Financial Times.

On Monday, WhatsApp advised all of its 1.5+ billion users to update their apps as an added safety measure. The attack was first “found” earlier this month.

How was the security flaw utilized?

It involved attackers utilizing WhatsApp’s voice calling function to call a target’s phone. Even if the call was not picked up, the spy software would be installed, and, the FT reported, the call would often vanish from the phone’s call log. WhatsApp informed the BBC that its security team was the first to identify the defect, and shared those details with selected security vendors, human rights groups, and the United States Department of Justice earlier this month.

“The attack has all the trademarks of a private firm supposedly that works with governments to provide spyware that takes control of the functions of mobile phone operating systems,” Whatsapp stated on Monday in a press briefing for reporters.

The company also published an advisory to security specialists, in which it explained the defect as: “A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack permitted remote code execution by means of specially crafted series of SRTCP [secure real-time transport protocol] packets sent out to a target Whatsapp number.

whatsapp update
Source: Twitter

However, some users of the Whatsapp messaging app have questioned why the Google and Apple store notes related to the most recent update are not specific about the fix.

Who is behind the spyware?

The NSO Group is an Israeli business that has been described in the past as a “cyber-arms dealer”. The company is part-owned by the London-based private equity firm Novalpina Capital, which bought a stake in February, 2019.

NSO’s flagship software, Pegasus, has the capability to gather intimate information from a target’s phone or device, including capturing information through the microphone and video camera, and gathering location information.

In a statement, the Israeli firm said: “NSO’s technology is licensed to authorised government agencies for the sole purpose of fighting terror and crime. The firm does not run the system, and after an extensive licensing and vetting procedure, law enforcement and intelligence figure out how to utilize the technology to support their safety missions. We investigate any credible allegations of abuse and if needed, we take action, including shutting down the system.

Under no circumstances would NSO be involved in the identifying or operating of targets of its technology, which is solely operated by law enforcement and intelligence agencies. NSO would not or could not use its technology in its own right to target any organisation or person.

Who has been targeted?

WhatsApp stated it was too early to know how many users had actually been affected by the security vulnerability, although it added that suspected attacks were extremely-targeted.

Amnesty International – which said it had been targeted by tools developed by the NSO Group in the past – stated this attack was one human rights groups had long feared was possible.

“They’re able to infect your smartphone without you actually taking any action,” stated Danna Ingleton, deputy program director for Amnesty Tech. She said there was mounting proof that the tools were being utilized by regimes to keep prominent journalists and activists under surveillance.

“There needs to be some accountability for this, it can’t just continue to be a wild wild west, secretive industry.”

On Tuesday, a Tel Aviv court will hear a petition led by Amnesty International that calls for Israel’s Ministry of Defence to withdraw the NSO Group’s licence to export its products. We are confident the petition will be put down.