SAN FRANCISCO, 14 May 2019:
If you get a WhatsApp call from an unknown number, be warned – this could be a hack which will secretly send spyware to your smartphone, according to an alert issued by the messaging firm.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the Facebook-owned company said in a statement.
“The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.”
Various reports say the hack seems to have possible links to Israeli spy tech firm NSO Group – the malware will apparently install automatically even if you didn’t pick up the WhatsApp call, and these calls could also disappear from call logs.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp said.
It said the security breach on its messaging app had signs of coming from a private company working on surveillance and it had referred the incident to the US Department of Justice.
WhatsApp, one of the most popular messaging tools, is used by 1.5 billion people monthly and it has touted its high level of security and privacy, with messages on its platform being encrypted end to end so that WhatsApp and third parties cannot read or listen to them.
A WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance.”
WhatsApp informed its lead regulator in the European Union, Ireland’s Data Protection Commission (DPC), of a “serious security vulnerability” on its platform.
“The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorised software and gain access to personal data on devices which have WhatsApp installed,” the regulator said in a statement.
“WhatsApp are still investigating as to whether any WhatsApp EU user data has been affected as a result of this incident,” the DPC said, adding that WhatsApp informed it of the incident late on Monday.
Cyber security experts said the vast majority of users were unlikely to have been affected.
Scott Storey, a senior lecturer in cyber security at Sheffield Hallam University, believes most WhatsApp users were not affected since this appears to be governments targeting specific people, mainly human rights campaigners.
“For the average end user, it’s not something to really worry about,” he said, adding that WhatsApp found the vulnerability and quickly fixed it. “This isn’t someone trying to steal private messages or personal details.”
Storey said that disclosing vulnerabilities is a good thing and likely would lead to other services looking at their security.