A security flaw in WhatsApp has led to the massively popular messaging app becoming the vehicle for a spyware used for a surveillance operation. The malicious software, called Pegasus, can be loaded onto an Android or iOS device via a WhatsApp voice call and then gather information from the device.
Both WhatsApp and NSO Group, the Israeli company responsible for developing the spyware, have confirmed the vulnerability. Pegasus can infect a device via WhatsApp call even if the user doesn't answer, delete its calls from the logs, and hijack the camera and microphone on a device in addition to harvesting communication and location data.
Pegasus is sold commercially to Western and Middle Eastern government agencies, ostensibly for counter-terrorism and crime-fighting surveillance efforts. In this case, there are indications that the perpetrators of the latest cyberattacks via WhatsApp may be a Middle Eastern nation trying to silence criticism of its human rights violations. On May 12, Pegasus was used in a failed attempt to compromise the phone of a UK based human rights lawyer who has helped a group of Mexican journalists and government critics and a Saudi dissident living in Canada to sue NSO for liability in the actions of its customers. Middle Eastern human rights activists have been targeted by Pegasus in the past.
WhatsApp alerted the US Justice Department and human rights groups about the threat, asserting that the operation had "all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems". NSO, however, denies any involvement with the attacks after the point of sale. "Under no circumstances would NSO be involved in the operating or identifying of targets of its technology."
The flaw is fixed, so long as you're up-to-date
Although WhatsApp has patched this security flaw at the time of writing, as a precautionary measure the company told users to check that they’re running the latest version of the app on their devices. You can check the latest WhatsApp build by hitting the Play Store button below or getting it from WhatsApp directly.
WhatsApp also advised users to ensure their mobile operating system, whether iOS or Android is up to date to ensure proper protection against potential targeted exploits designed to access information stored on your device. Although NSO claims that it always investigates credible allegations of misuse, and is looking into the WhatsApp call attack, so long as sophisticated spyware can be sold exported to third party actors without much oversight, it won't be easy to prevent similar surveillance campaigns from affecting many in WhatsApps 1.5 billion strong userbase.
- How to transfer WhatsApp chats to a new phone
- How and why you should keep Google Play Services up-to-date
Are you concerned about WhatsApp's security?