A new vulnerability has been found that lets an attacker install NSO Pegasus spyware on your phone via a single call on WhatsApp, even if the call hasn’t been answered. It is recommended that you update to the latest version of WhatsApp immediately.
Notoriously, the spyware also removes the call record from the WhatsApp call log, meaning that the spyware can be installed undetected, as reported by Financial Times.
Both iOS and Android phones are vulnerable to the spyware, which can collect information from the device such as emails, messages, location and also control its camera and mic.
The Pegasus spyware that is exploiting this vulnerability in WhatsApp is a brainchild of Israel-based private company NSO Group Technologies. Pegasus is provided to governments and government agencies globally to spy on people.
The Facebook-owned instant messaging app was aware of the vulnerability since earlier this month and fixed it with an update for Android on May 10.
If your WhatsApp isn’t updated to the following versions or newer, your device is vulnerable to the NSO spyware.
- WhatsApp for Android: v2.19.134
- WhatsApp Business for Android: v2.19.44
- WhatsApp for iOS: v2.19.51
- WhatsApp Business for iOS: v2.18.348
- WhatsApp for Tizen: v2.18.15
“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number,” stated the common vulnerabilities and exposures notice put up by Facebook (CVE-2019-3568).
WhatsApp has north of 1.5 billion users globally and all of their privacy and security were at a risk until WhatsApp fixed the vulnerability and updated the app and even now for the people who are unaware and haven’t updated the app yet.
Facebook’s track record when it comes to privacy and security of its users has been as terrible as it can be and the lack of accountability on yet another privacy scare for users of another Facebook-owned service just goes to show the lack of their commitment towards privacy and security of the users.
It’s been a few days since the update patching the vulnerability was released but the company didn’t urge its users to update to the latest version even though they were aware of the perils for end-users. So far, it’s unclear how many people were affected by the vulnerability.
Prayank heads the Editorial at Candid.Technology. When not writing, he loves taking trips on his bikes or chugging beers as Manchester United battle rivals.
Contact Prayank via email: firstname.lastname@example.org or call: +91-522-4333653