A few hours ago WhatsApp revealed that there was a vulnerability in the app which allowed for remote installation of spyware. This was evident mainly across the iOS platform. The exploit was made possible due to the presence of a bug in the audio calling feature.
The spyware could be installed on the target device by making an audio call, regardless of it being accepted or not. Israel-based NSO Group had developed spyware called Pegasus which let the government infect targets of investigations to gain more intel. This is the exact same spyware which was used to take advantage of the vulnerability.
After the exploit was discovered, WhatsApp had rolled out a server-side patch as well a client-side update which seems to have fixed the issue. It took them nearly 10 days. We are not sure how many users have been infected or the extent of the exploit. This is a serious security flaw but the company says that it was very nontrivial to deploy a thus very limited number of people could have been infected.
WhatsApp has always encouraged users to update to the latest version so as to get the latest security patches.
“The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15”
The Facebook-owned company has informed the Department of Justice and “a number of human rights organization” about the issue. NSO has said that it has nothing to do with how its code is used or whom it is used against.
The question arises of accountability. Who is to be held accountable for if such attacks lead to a larger catastrophe. Is it Whatsapp or is the group who was responsible for making the spyware in the first place?