WhatsApp, the Facebook-owned messaging platform, is encouraging its 1.5 billion users worldwide to update their app immediately to patch a spyware vulnerability that could allow outside access to data from consumers’ phones.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a company spokesperson wrote in an e-mail to Consumer Reports.
To update the app on an iPhone, open the App Store and select Updates > WhatsApp > Update.
On an Android device, open Google’s Play store and tap on the three lines in the upper left corner, then select My Apps & Games > WhatsApp > Update.
According to a Facebook tech advisory, the issue affects the following versions of the app:
• WhatsApp for Android prior to v2.19.134
• WhatsApp Business for Android prior to v2.19.44
• WhatsApp for iOS prior to v2.19.51
• WhatsApp Business for iOS prior to v2.19.51
• WhatsApp for Windows Phone prior to v2.18.348
• WhatsApp for Tizen prior to v2.18.15
“An attack of this kind is really bad for the relatively few victims who were targeted,” says Bobby Richter, who heads privacy and security testing for Consumer Reports. “But, to make sure they don’t become a target themselves, consumers need to make sure their WhatsApp is up to date. They shouldn’t wait. Everyone should take a minute to update the app right now.”
Security analysts have traced the problem, first discovered in early May and initially reported by the Financial Times, to an Israeli security company called the NSO Group. It’s not clear how many phones have been targeted by the malware, which has been dubbed Pegasus, according to WhatsApp.
NSO says it licenses its software to government agencies to fight crime and terrorism, but according to the Citizen Lab at the University of Toronto, the Pegasus spyware has also been used to target journalists, activists, and other civil targets in 45 countries including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.
An attacker can install Pegasus on a target phone by simply placing a WhatsApp call to the victim, even if the victim doesn’t pick up the call. The attacker can then gain access to the phone’s camera and microphone, as well as e-mails, messages, location data, and more.
“Once exploited via this new attack, the attacker has complete control and visibility of all data on the phone,” says Mike Campin, vice president of engineering for Wandera, a security firm that specializes in mobile platforms for corporate clients.
“In tech security circles, this is called ‘privileged remote code execution,’” says CR’s Richter. “It’s really a worst-case scenario for the victim because of the sheer amount of information and control gained by the attackers.”
WhatsApp says it is providing information about the security vulnerability to both U.S. law enforcement and a number of human rights organizations.
Security experts say this incident should serve as a reminder that even supposedly secure digital platforms can sometimes be hacked. “Bear in mind that this isn’t the first time WhatsApp’s security has been brought into question,” says Campin, citing a spate of recent phishing attacks on the platform. “WhatsApp’s ‘end-to-end-encryption’ badge shouldn’t be mistaken as a guarantee that communications are secure.”