Tuesday, May 14, 2019

WhatsApp was breached: Here's what users need to do

Dalvin Brown, USA TODAY Published 8:36 a.m. ET May 14, 2019 | Updated 11:05 a.m. ET May 14, 2019

A cybersecurity breach in Facebook's messaging app WhatsApp left users unknowingly vulnerable to malicious spyware installed on their smartphones, WhatsApp admitted Monday.

The security vulnerability affects both iPhone and Android devices, and WhatsApp is urging users to update their apps as soon as possible.

WhatsApp, which is used by over 1.5 billion people, confirmed the vulnerability in a statement, but didn't name the perpetrator.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the company said in a statement .


The Financial Times reported that a loophole in WhatsApp allowed attackers to inject spyware on smartphones by calling targets using the app. The malicious code could be transmitted whether the user answered the call or not.

The Financial Times said the spyware was developed by Israeli cyber surveillance company NSO Group.

An NSO spokesperson told USA TODAY that the company's technology is "licensed to authorized government agencies for the sole purpose of fighting crime and terror."


WhatsApp says the cyber threat was first discovered earlier this month and had been used to target a "select number" of users. The messaging company said it briefed human rights organizations on the discovery and notified U.S. law enforcement to help them conduct an investigation.


David Lee
May 14, 2019


How was the security flaw used?

It involved attackers using WhatsApp's voice calling function to ring a target's device.

Even if the call was not picked up, the surveillance software could be installed. According to the FT report, the call would often disappear from the device's call log.


Who has been targeted?

WhatsApp said it was too early to know how many users had been affected by the vulnerability, although it added that suspected attacks were highly-targeted.

According to the New York Times, one of the people targeted was a London-based lawyer involved in a lawsuit against the NSO Group.

Amnesty International, which said it had been targeted by tools created by the NSO Group in the past, said this attack was one human rights groups had long feared was possible.

"They're able to infect your phone without you actually taking an action," said Danna Ingleton, deputy programme director for Amnesty Tech. She said there was mounting evidence that the tools were being used by regimes to keep prominent activists and journalists under surveillance.


No comments:

Post a Comment