Earlier today, Facebook released a security advisory to alert users of a technical vulnerability that affects the WhatsApp application on Android and iOS. According to the reports, an attacker is able to inject code and install surveillance software on a user’s device by placing maliciously-crafted phone calls (VoIP) through WhatsApp. To make matters worse, the malicious code can be transmitted even if the user does not answer the call.
In order to fix the issue, together with the security advisory, Facebook released new versions of WhatsApp for IOS, Android, and other mobile applications. Please make sure you are running the latest release or make sure to update your WhatsApp as soon as possible.
Alongside this patch for users, WhatsApp issued a statement that they have implemented fixes on their servers to prevent this vulnerability from being exploited any further. This means that any future attempts to exploit WhatsApp in this manner should be blocked both on the user as well as the server side.
Given the sophistication of this attack strategy, even if the vulnerability that allowed the attack to happen in the first place is no longer effective, malicious software could still be present on your device. If you are a high-risk user from civil society and have experienced abnormal behavior while using WhatsApp (such as missed calls from unknown numbers and the application crashing), or get other indicators which suggest that you have been targeted by these attacks, then get in touch with the Digital Security Helpline so our team can assist you.
More broadly, as has been repeatedly evidenced in recent years, human rights defenders, journalists, and activists are the victims of digital attacks intended to surveil, harass, and otherwise interfere with their work. Once again, this attack reveals ever more about the extent to which malicious actors are willing to go to in order to achieve their goals.
We remain extremely concerned about the lack of government action to address the threats posed by surveillance technologies to civil society actors across the globe. The Financial Times reports that a spyware dealer named the Israeli surveillance software firm NSO Group as the developer of this technology. Even though the link between this most recent attack and NSO Group has not yet been confirmed, the story raises the stakes of discussions between civil society groups and NSO’s international investors, as well as the government licensing that allows the company to continue down its dangerous path.
This latest security threat put the privacy and security of WhatsApp’s 1.5 billion users at risk, and should convince all large platforms and their investors of the need to encourage disclosure of security vulnerabilities, to share security information with civil society in a timely fashion, and to collaborate with private and public stakeholders to bring accountability and transparency to the surveillance trade. Until governments step up, though, we will likely see more victims targeted with impunity by this toxic industry.