WhatsApp Vulnerability Exploited To Install Spyware

It has been reported that a “targeted” surveillance attack was discovered in WhatsApp, hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in WhatsApp. The attack targeted a ‘select number’ of users and was orchestrated by ‘an advanced cyber actor”.  

Social Media Reaction:

Expert Comments:   

Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies:  

“Almost all applications contain some form of vulnerability and when those applications are as popular as WhatsApp, those flaws will be hunted out with far more vigour than others. That doesn’t negate the fact that this is going to be incredibly concerning for the general public and it returns us to the subject of Facebook. Facebook has been proven to have less than a concrete grip on privacy and security, so this will only add fuel to the fire.   

“It is worth remembering that WhatsApp is an internet application and with that comes risks of hacking, so the usual advice stands – don’t share anything on it that you wouldn’t want to be seen or appear in public. Everyone should take the advice of WhatsApp and update their applications immediately. If required, they should also update their phone’s operating system as doing so can help protect against other security flaws – and its good practice to do so as soon as updates become available.”  

Adam Brown, Manager of Security Solutions at Synopsys:  

“This is an exploit of a bug in software WhatsApp is built on that has a real world impact. Victims of this attack include journalists and activists; attackers are able to use the victim’s phone as a room tap, look at or change information on the phone and find the victim’s location, amongst other things.

“The compromise is possible because applications, including WhatsApp, use many third party components; WhatsApp has ‘libssh’ in its inventory as do many others. Because of a bug in the version of ‘libssh’ (an open source client side C library implementing the SSH2 protocol) attackers are able to run their code on the victim’s phone.

Its best practice for software companies to know what’s in their bill of materials that make up their software, and to compare that with known vulnerable versions of software components. By doing so, this kind of vulnerability can be avoided.”  

Assaf Dahan, Senior Director, Head of Threat Research at Cybereason:  

“The risk is that once the Spyware (Pegasus) is installed on the victim’s phone, the attackers gain complete access to all of the information on that phone (such as geo-location, contacts, messages, mail, and other data). In simple words, they can monitor everything the victim is doing, therefore complete violation of privacy. Potentially any WhatsApp user can be vulnerable to this attack. This zero day does not require any interaction from the user, and therefore is very difficult if not impossible to avoid. Since this Zero day is attributed by the researchers to the NSO Group, it’s likely used surgically, only against specific people of interest and not as a mass infection payload. Assuming that the latest version published by WhatsApp fixes the buffer overflow vulnerability, users who install the latest version will be protected. That being said, there might be other Zero days exploits in the attackers’ arsenal that haven’t been discovered yet, that might be used against WhatsApp or other mobile apps.”    

Jake Moore, Security Specialist at ESET:

“For a vulnerability to be found across the 1.5bn devices where WhatsApp is installed is quite a mean feat in 2019. An attack like this bears all the hallmarks of cyber espionage was likely to have only been used on only a small number of highly targeted individuals.   

These types of attacks are extremely rare but also not to be taken lightly. It is clear from this attack that cyber-criminal organisations continue to look for vulnerabilities in applications used by millions of people around the world in the hope they will find something to exploit.   

It doesn’t suggest that any messages have been intercepted in this attack which bodes well for the encryption used by WhatsApp. They have asked all of their users to update the app as a precaution as if this were to have got into the wrong hands, it could have extracted data from many more devices and caused all sorts of problems. Turning on auto updates will protect users from any further vulnerabilities once they are found.”

Winston Bond, EMEA Senior Technical Director at Arxan: 

Winston Bond

“The attack on WhatsApp is based on using a bug in the code to give the attackers control over what it does. It takes a lot of research and reverse engineering to create an attack like that. Nothing will stop bugs, but app hardening would have made that research phase much harder and could have given Facebook a heads-up that someone was tinkering with their app. Unfortunately, too many consumer-facing apps are published without any serious protection against reverse engineering. It’s time that changed.”

Ed Macnair, CEO at CensorNet 


“WhatsApp has over 1.5 billion users globally, so the news that it had such a massive vulnerability is going to unsettle plenty of people. And rightly so, as the details of this cyber attack, where spyware is being injected onto users’ devices via the app’s call function, is particularly unnerving. The attacks appear to have been specifically targeted, for example a UK based attorney’s phone was attempted to be breached, but this doesn’t mean that the rest of civil society shouldn’t be worried that such an extensive vulnerability was present in the app. 

“There’s been a blurring of lines between what we might consider consumer tech and enterprise tech. WhatsApp started its life firmly in the consumer corner, but has since been adopted by employees and organizations as an easy way to communicate. What we now have is an excellent example of why that can be a problem.” 

“WhatsApp has instructed users to update the app to a version that has fixed the vulnerability in the infrastructure which allowed this to happen. Businesses must remember that, whether they know it or not, WhatsApp is being used on corporate devices and they also need updating.”