back to article It's 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware

A security flaw in WhatsApp can be, and has been, exploited to inject spyware into victims' smartphones: all a snoop needs to do is make a booby-trapped voice call to a target's number, and they're in. The victim doesn't need to do a thing other than leave their phone on. The Facebook-owned software suffers from a classic …

  1. Kevin McMurtrie Silver badge

    The question is

    Given that at least some WhatsApp and Facebook developers would use WhatsApp, is an external entity still secretly in control? They're blaming this hack on the kind of organizations who might dedicate a few people to maintaining the product offerings.

    1. doublelayer Silver badge

      Re: The question is

      I don't think they were saying that this hack was created by NSO/anyone external, but that the expertise needed to find and exploit it in the wild, as has been happening, is likely that of NSO/someone external. I thought the exact same thing when I read that line, but the paragraph after that makes it look like the above suggestion. Given that this program is not open source and has an encryption layer on all its network traffic, I would say that it is at least somewhat hard to find and probably signifies some level of sophistication on the part of the attacker abusing it.

      1. Andy The Hat Silver badge

        Re: The question is

        "As a law abiding 'merkin I demand that all Chinese software with potential security flaws is banned."

        "But Whatsapp is 'merkin Sir. And the flaw was exploited by our very, very good friends the Israelis. They just sold it, like good capitalists, all over the world, probably to the NSA and CIA"

        "That's great. Our great friends helping us!"

        "Sir, let me finish, and the Chinese, North Koreans, Saudis, Russians ..."

        " Chinese you say? That proves my point, ban all Chinese software!"

        "But Sir ...?"

        1. GnuTzu

          Re: The question is

          Just how addicted do we want to be to things constructed elsewhere? Oh wait; that's consumerism. And, where was that invented?

          1. ArrZarr Silver badge

            Re: The question is

            ...Britain

    2. David Shaw

      bugdoor found, compliments

      now hunt for the next one

    3. Anonymous Coward
      Anonymous Coward

      Re: The question is

      Given that at least some WhatsApp and Facebook developers would use WhatsApp, is an external entity still secretly in control?

      It's curious that so many hacks which would benefit from insider knowledge (this one, iPhone cracking and so on) seem to emerge from Israeli companies. I wonder if this makes security-minded companies reluctant to hire Jewish software developers.

      1. ROC

        Re: The question is

        At least as much as they should be wary of Chinese devs...

  2. ghp

    A waste of good breath?

    "Amnesty International and others will this week urge the Israeli military to ban the export of NSO Group's software"

    1. MyffyW Silver badge

      Re: A waste of good breath?

      I'm very glad I live in a world where Amnesty International are free to waste their breath.

      1. asdf

        Re: A waste of good breath?

        I agree with their mission and all but yeah their press releases on how evil ISIS was towards human rights was a no sh1t sherlock moment. Like they could shame them or something.

        1. RegGuy1 Silver badge

          Re: A waste of good breath?

          Or that's the format you have to use to make yourself visible in this loud, shouty world.

          We are talking about them. That statement was therefore a good use of breath!

      2. the future is back!

        Re: A waste of good breath?

        Sad, ironic, sarcastic, but true. But still, I am also free to donate to Amnesty Int. As a side comment, wasn’t Manafort snagged interfering with witnesses via Whatsapp logs?

  3. Wellyboot Silver badge

    I'm sure

    >>>NSO claims it carefully vets its customers<<< - Vetting Q1: Do you have the money we're asking for this?

    >>>The real story here is that WhatsApp found the damn thing<<< I'm possibly being cynical here but was it while trying to do exactly that for 'research'

    1. Shooter

      Re: I'm sure

      "Okay guys, the check cleared!"

    2. ROC

      Re: I'm sure

      Isn't that how they found out? When their "telemetry" crashed mysteriously. I thought "research" was the purpose of telemtry.

  4. Blockchain commentard

    So, Facebook is concerned about privacy? Really?

    1. Anonymous Coward
      Anonymous Coward

      Privacy of data slurped by FB, sure, nobody else should be allowed to slurp through FB apps, of course. Plus this kind of things may mean some people actually stop using FB apps.

      1. Clunking Fist

        "Privacy of data slurped by FB, sure, nobody else should be allowed to slurp through FB apps, of course."

        Except for the folks that FB give access to, such as: many developers, Cambridge Analytica and the Obama 2016 Campaign?

    2. phuzz Silver badge

      "Facebook is concerned about privacy?"

      Of course! They don't want anyone else spying on their revenue streamcustomers you know.

  5. Anonymous Coward
    Anonymous Coward

    This is going to be big.

    Much bigger than FB's Cambridge Analytica.

    I think it'll raise a lot of public awareness and questions on trusting closed-source centralised Platforms with Stasi-State-Sponsored Backdoors.

    1. Dave 126 Silver badge

      Re: This is going to be big.

      Bigger? Facebook held the door open for Cambridge Analytica, whereas this is akin to a well funded group sneaking in through an unsecured back window.

      For sure, open source systems can be audited to ensure there are no security flaws, but the time and resources required to do means that in reality such audits are rarely undertaken. And even if an audit is undertaken, the security of your communications depends upon the security of your correspondent's phone or computer.

      1. AMBxx Silver badge

        Re: This is going to be big.

        It's the first story on Sky, BBC & Reuters. Hopefully, regular users will start to worry about data privacy now.

      2. simfin

        Re: This is going to be big.

        A well funded group....billions of $'s poured into Israel when Russia, Eastern Europe fell apart

        1. Anonymous Coward
          Anonymous Coward

          Re: This is going to be big.

          Surely it’s obvious: the purpose of the malware injection must have been to create a mass botnet to robo-vote for Israel again in Eurovision?

          (I sincerely hope that their song this year is better than last year’s: I have no idea how that caterwauling effort actually managed to win!)

      3. martinusher Silver badge

        Re: This is going to be big.

        >Facebook held the door open for Cambridge Analytica

        I tend to think that Facebook were suffering from technology naivety -- you develop a platform for a purpose 'x' and never dream of it being (mis)used for purpose 'y'. The history of Internet development is littered with this sort of thing, starting with "why would anyone want to spoof mail addresses?" through "push technology and cookies are a great way to enhance a user's experience of the Web" to today's "well, it should be secure.....".

        That's not saying that once someone shows a corporation like Facebook a way to misuse their data that they won't see opportunity in such misuse...

        1. Clunking Fist

          Re: This is going to be big.

          "I tend to think that Facebook were suffering from technology naivety -- you develop a platform for a purpose 'x' and never dream of it being (mis)used for purpose 'y'."

          You think FACEBOOK is naive..? They sold or gave access to almost anyone "hey, here's access to a large quantity of data, see what you can make of it".

    2. Anonymous Coward
      Anonymous Coward

      Re: This is going to be big.

      nah, CA and FB got caught with their pants down in the bathroom stall. This was just a back door that was publicly disclosed, so they had to replace it. But don't you worry, we still have full access.

      Hail Hydra!

  6. bilston
    WTF?

    Theres a big difference here

    I can understand emails with dodgy attachments, web sites with dodgy java, I can just about control all of this.

    BUT when a call which I do not answer puts a tracker on my phone, well, what chance do we stand.

    Bring back the Nokia flip (yes I know they have)

    1. Anonymous Coward
      Anonymous Coward

      Re: Theres a big difference here

      Fortunately, there is an obvious answer to this one that does not involve using a flipphone, but does involve uninstalling certain things.

      .

      1. Doctor Syntax Silver badge

        Re: Theres a big difference here

        "but does involve uninstalling certain things."

        Or not installing them in the first place.

        1. Korev Silver badge
          Black Helicopters

          Re: Theres a big difference here

          The stream of IOS & Android updates suggests that the core phone OS is enough to potentially expose you.

        2. Anonymous Coward
          Anonymous Coward

          Re: Theres a big difference here

          Provided it doesn't come preinstalled on the device.

          1. Anonymous Coward
            Anonymous Coward

            Re: Theres a big difference here

            Yes, that was what I was thinking. My current phone came with preinstalled Zuckershit. I never ran it, but when I came to disable it, on the very first day, it already had 27kB of user data. And I don't have an account.

            1. ROC

              Re: Theres a big difference here

              Probably it was from that FB "kit" that clueless developers throw into their code just because it's "good coding practice" (per FB guidelines, or whoever's app they were using as a template).

    2. NATTtrash
      Childcatcher

      Re: Theres a big difference here

      It was bound to happen, wasn't it? So many (sometimes so non-tech that it hurts) politicians moaning about the fact that (Think of the children!) we really, really needed a "governmental backdoor" or an "encryption with decryption keys supplied to us to safeguard the world".

      Well, it has been quiet for a while on that front, and I suppose we now know why...

      Actually, that flip phone is not that bad an idea. Sod WhatsApp, encryption and so on. Think about the fact that it will bring back the times that you only had to charge once every month. Will do wonders to the human carbon footprint...

      1. Nick Kew
        Black Helicopters

        Re: Theres a big difference here

        If you want the conspiracy version of this ...

        ... the current alert is a means of distributing the update that introduces shiny new NSA spyware.

    3. a_yank_lurker

      Re: Theres a big difference here

      Another way to secure your information is to limit what the phone is used for. If no financial and very restricted purchase activities are done on the phone then the damage malware can do is limited. The real problem is that many use a phone as if it is desktop with a hardwired connection to the router. Their phones are very juicy targets for miscreants.

      1. Anonymous Coward
        Anonymous Coward

        Re: Limit.

        No use if it is listening all the time.

      2. bilston

        Re: Theres a big difference here

        and how do I do my banking, my local is closed, how do I buy my stuff on line, just asking

  7. Winkypop Silver badge
    Big Brother

    Orwell warned of the Telescreen

    "The telescreen received and transmitted simultaneously. Any sound that Winston made, above the level of a very low whisper, would be picked up by it, moreover, so long as he remained within the field of vision which the metal plaque commanded, he could be seen as well as heard."

    He never imagined to true scale of the surveillance state we live in just a few decades after 1984.

    1. RFC822

      Re: Orwell warned of the Telescreen

      Who needs to do that when people already bring Alexa/Siri/Echo/etc into their homes?

      1. Rich 11

        Re: Orwell warned of the Telescreen

        "Alexa, are you spying on me?"

        "Of course not, Rich 11. Now hurry up and finish the hoovering. Your girlfriend will be home in 73 seconds."

        1. aregross

          Re: Orwell warned of the Telescreen

          Hoovering? Surely you must mean 'Dysoning'...

      2. MrXavia
        Big Brother

        Re: Orwell warned of the Telescreen

        Yes, but we know Apple/Amazon/Google are listening, and we know they don't care if we're screwing the neighbours wife or murdering someone. they just care that we're using their tech and buying things!

        Sure Alexa may record because it thinks it heard 'Alexa', the recording may get transcribed by some poor sod getting paid way too little for the things they have to try and forget all in the name of improving speech recognition... BUT the benefit is that we improve speech recognition.. so unless you can think of a better way to improve computer speech recognition, this is the way it is going to be...

        We will all bow down to the AI overlords when they realise humans are petty and mean

        1. Anonymous Coward
          Devil

          "they don't care if we're screwing the neighbours wife or murdering someone"

          Just wait they can find a way to monetize that without being sued...

          1. HorseflySteve
            Alert

            Re: "they don't care if we're screwing the neighbours wife or murdering someone"

            For some reason, I just got a mental image of Terry Jones sitting naked at an electric organ...

            1. N2

              Re: "they don't care if we're screwing the neighbours wife or murdering someone"

              So if youre watching Mrs Teal, this is for £15...

            2. Anonymous Coward
              Anonymous Coward

              Re: "they don't care if we're screwing the neighbours wife or murdering someone"

              So, Mr. Jones, just £15* - and your wife need not find out about your lovely mistress. (Picture).

              * - it would be Bitcoin nowadays now the price is being levered up again

      3. Warm Braw

        Re: Orwell warned of the Telescreen

        Who needs to do that when people already bring Alexa/Siri/Echo/etc into their homes?

        And carry their mobile phones wherever they go.

  8. Doctor Syntax Silver badge

    “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies”

    Rice-Davies applies.

    1. Adrian 4

      "Meanwhile, Amnesty International and others will this week urge the Israeli military to ban the export of NSO Group's software on the grounds it's sold to governments with, ahem, questionable track records on human rights"

      Are there governments that don't have questionable track records on human rights ? I think there are only grades of questionability and none that would score sufficiently well to be considered perfect.

      1. phuzz Silver badge
        Trollface

        "Are there governments that don't have questionable track records on human rights?"

        Well, there is North Korea. Nothing questionable there, you just get zero human rights.

        1. lglethal Silver badge
          Trollface

          Hey hey hey North Korea is a democracy (it's right there in the name - Democratic Peoples Republic of Korea). It's a One Man, One Vote nation. It just so happens that Kim Jong Un is that Man, and the Vote is his...

          (paraphrased with loving respect to PTerry for that wonderful quote...)

          1. Nick Kew

            Point of Order

            While PTerry's use of that quote was indeed brilliant (like so much of his writing), the quote itself is older than him. I can't recollect anything concrete, but I have an idea it was known in ancient Rome.

          2. Uncle Slacky Silver badge
            Thumb Up

            Congratulations, you are now a moderator of /r/Pyongyang!

          3. ICPurvis47
            Coat

            Democratic?

            Any country which includes the word "Democratic" in its name is guaranteed to be anything but.

      2. Anonymous Coward
        Anonymous Coward

        Costa Rica? Lichtenstein? Switzerland? As you say, nowhere is perfect.But some are a lot better than others.

    2. Anonymous Coward
      Anonymous Coward

      One rule for the gangster overlords....

      “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies”

      I merely supplied the murder weapon, I had no involvement with regards the victim. But between us, we decided it was OK to use the weapon against "legitimate" targets, plus we make the targets ultimately pay for our weapons.

  9. Headley_Grange Silver badge

    Tools

    Seriously - aren't there tools or procedures to check for buffer overflows?

    1. Anonymous Coward
      Anonymous Coward

      Re: Tools

      Mi Amiga, 1985, came with Mungwall for just that purpose.

    2. Anonymous Coward
      Anonymous Coward

      Re: Tools

      Tools yes there are plenty that exist and No there is not any procedure to "check for buffer overflows" or regulations either. Often doing that part of the development cycle will push back release dates and we gotta have those cause how else will you get paid... ;)

      Been doing auditing of source for a few years now and nope there are very few places that use concepts like continuous integration... it is starting to catch on these days but usually in small shops and there are few big boys who do it too but not everywhere. Just too expensive to do that part until they (softdev companies) are regulated/mandated to do so, kinda like a car needs a crash test report before it can be sold in public. I think that all public touching software should be audited by an independent third party if PII or Financials are involved. In fact I personally believe that all publicly touching software should be opensource personally since it lets all see what is going on with the data you input and the tinfoil hats can tinfoil just to be sure nothing nasty is going on. Also if this public touching software is opensource then much less finger-up-the-bum-security (less intrusive) involved for those doing the auditing.

    3. Anonymous Coward
      Anonymous Coward

      Re: Tools

      LOL you think this was a mistake??!! LOL

      Hail Hydra

    4. Ken Hagan Gold badge

      Re: Tools

      Equally seriously - aren't phone apps supposed to be written in managed languages where such overflows are Impossible By Design (tm)?

      1. Kevin McMurtrie Silver badge

        Re: Tools

        Android's Java and Kotlin are immune to this but native code apps must still be allowed. The JVM is bad at certain types of data processing, like contiguous arrays of structures and unsigned math larger than 16 bits. Audio/video processing really messy in JVM bytecode.

      2. TimMaher Silver badge

        Re: Tools

        You didn’t include the <sarcasm id=“snark”></sarcasm> tag.

        Some kiddie winkies will be coding in some flavour of C and they may have even let some loose with the relevant assembler.

        In that case a buffer over/under run is almost inevitable.

        Sigh...

        1. Lomax

          Re: Tools

          <sarcasm class=“snark”></sarcasm>

          ftfy

          1. TimMaher Silver badge
            Pint

            Re: Tools

            Excellent!

            Get you a crate of beer for that @lomax.

    5. Nifty Silver badge

      Re: Tools

      Yes, they're the human management.

  10. RFC822

    How would I know if I've been compromised?

    OK, I've updated WhatsApp to the latest version, so I'm presumably safe (at least for the moment) against future attacks.

    But how would I know whether my handset has already been compromised?

    1. Rich 11
      Black Helicopters

      Re: How would I know if I've been compromised?

      Have you ever switched it on?

    2. well meaning but ultimately self defeating

      Re: How would I know if I've been compromised?

      Is there any particular reason you think you would be compromised Rob?

      1. Androgynous Cupboard Silver badge

        Re: How would I know if I've been compromised?

        I think Rob's just being paranoid. He's been at his desk since 0811 with his phone right next to him and only turned his back for 83 seconds to chat with Ken. About 0823 I think.

      2. Muscleguy

        Re: How would I know if I've been compromised?

        Some of us would be considered 'enemies of the state' by the security services. I'm a paid up member of Scottish CND which wishes for the Trident nuclear deterrent to end and regularly stages demos at the Faslane base which close access to it.

        I'm also a left wing Scottish Independence campaigner who wishes to break up the Union Polity of the United Kingdom. Considering they have files on utterly peaceful, non threatening environmental campaigners assuming my devices are NOT at risk considering what Snowden taught us would be naive in the extreme.

        During the Scottish IndyRef there was a large discrepancy in the free space on my phone whether it was what the phone reported or the computer reported when it was connected. Nothing helped and I would often mysteriously run out of space I should have had.

        Then the Android OS had a security update and I suddenly got all that space back, overnight. None of the cleaners or anti virus apps found anything wrong. Am I paranoid or justifiably cautious?

        The Google app does not have permission to access the microphone and when meeting my fellow left wing Yes activists to discuss strategy my phone is switched off or left at home.

        You may not have to think of such things but some of us, it seems, do.

        1. Anonymous Coward
          Anonymous Coward

          Re: How would I know if I've been compromised?

          You are getting an upvote merely for being someone of whom I strongly approve.

    3. Anonymous Coward
      Anonymous Coward

      Re: How would I know if I've been compromised?

      Just because you updated doesn't mean you're safe.

      I updated my iphone just now, but the version i got is still vulnerable v2.19.50. The fixed verison 2.19.51 isn't available yet (maybe this is just a UK thing?)

      Check the CVE here https://www.facebook.com/security/advisories/cve-2019-3568, and check what version you actually have.

      This is quite dangerous, because people like you are updating and assuming they're patched, but they might not be

      1. RFC822

        Re: How would I know if I've been compromised?

        I'm running V2.19.139.

        On Android.

        I do hope that Apple manage to catch up one of these days.

        1. Anonymous Coward
          Joke

          "I do hope that Apple manage to catch up one of these days."

          Wait for Tim Cook to recover from the panic attack after the Supreme Court ruling...

      2. Anonymous Coward
        Anonymous Coward

        Re: How would I know if I've been compromised?

        Have you tried refreshing the App store by dragging down on the update screen?

      3. Moog42

        Re: How would I know if I've been compromised?

        Quick poll in our office shows that in the last couple of days iOS handsets updated to the x.50 version over the weekend, but that's still vulnerable. Forced refresh on the app store and *tada!* Version x.51 magically appears...

      4. Anonymous Coward
        Anonymous Coward

        Re: How would I know if I've been compromised?

        Just updated mine in the UK and it is distributing 2.19.51 now - 14/05/19

        1. Roger Kynaston
          Joke

          Re: How would I know if I've been compromised?

          ditto. I updated first this morning and then reading this and I checked again this afternoon. Looks like Apple were a bit asleep.

          </serious>

          Not that I am admitting to having it installed on _my_ phone at all. No, never! I am not a sheeple!

  11. GrumpyOldMan

    Well well....

    Whilst reading this article and thinking that I'm so glad I have nothing to do with Fartbook or WhatsApp when I got a text on my crappy old emergency use only mobile. It said: "Check out WhatsApp. I use it to message and call the people I care about. Get it for free at ..." Well is that a coincidence? I wonder.

  12. Korev Silver badge
    Big Brother

    Both my work and personal phones have updated WhatApp; when I checked the App/Play Store it said that WhatsApp had been updated but there was no mention about the vulnerability.

  13. ColonelDare
    Holmes

    Just musing.

    > This exploit would be perfect for a nation's spies keen to pry into the lives of persons of interest.....

    Gavin Williamson?

    1. BebopWeBop

      Re: Just musing.

      Gavin Williamson is of no feckin interest to anyone but his ego.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just musing.

        I don't know, Sergei Lavrov finds him amusing.

  14. Anonymous Coward
    Anonymous Coward

    Companies shouldn't use Whatsapp anyway ...

    I'm in between jobs at the moment, but I know my next one won't be with any firm that has a en "employee Whatsapp group" that I'm expected to sign my *personal* phone to.

    Seems to be a thing in the 21t century. Companies build procedures on "free" software. Well now they can claim a refund.

    1. werdsmith Silver badge

      Re: Companies shouldn't use Whatsapp anyway ...

      We have exactly that in the office. I just refused to have the app and there really is nothing else to be said.

      Decided years ago now to never have any Faecebook software near me if I can help it.

    2. Headley_Grange Silver badge

      Re: Companies shouldn't use Whatsapp anyway ...

      A client recently got quite shirty when I wouldn't use Whatsapp. Eventually I blamed it on GDPR and they tucked their shirt in very quickly.

  15. katrinab Silver badge
    Flame

    Changelog for the update

    You can now see stickers in full size when you long press a notification

    Doesn't particularly read like a critical update that you should rush to install.

    Why no mention of the security fix?

    1. tim 13

      Re: Changelog for the update

      I was on 2.19.50 which was installled yesterday with that description. I've just done an update yet it still says 2.19.50

      Edit, actually on the Apps store update page it says 2.19.50, but if I go into the specific details for WhatsApp it says 2.19.51...

      1. Ben 21

        Re: Changelog for the update

        Aha - the iOS AppStore "updates" tab seems to be out of sync with the "search" tab.

        If you search for WhatsApp as if you were installing it for the first time, it shows the latest version and you can press "update".

        But the "updates" tab is lagging behind and only shows the older version which isn't fixed.

        To see what's actually installed, launch WhatsApp, and press Settings -> Help, and the version is displayed at the top of the screen.

        1. Korev Silver badge

          Re: Changelog for the update

          I had to do a manual refresh before it appeared in the updates.

      2. katrinab Silver badge

        Re: Changelog for the update

        My App Store is showing 2.19.51 with the changelog description about enhanced sticker functionality.

  16. Anonymous Coward
    Anonymous Coward

    Trust....

    Quote: "Trust is the glue of life. It’s the most essential ingredient in effective communication. It’s the foundational principle that holds all relationships." – Stephen R. Covey

    *

    Now consider the millions of transistors, the millions of bits of embedded memory, the millions of lines of code......all making that smartphone "work".

    *

    Do you trust the smartphone manufacturer, the CPU manufacturer, the app provider, the mobile phone network provider.....that NONE OF THEM have embedded something that you might not like or trust? ...that none of the bad actors out there (NSA, GCHQ......) have found a way to embed bad stuff?

    *

    Another quote: "The paranoid is a person who knows A LITTLE about what is going on." -- William Burroughs (my capitals)

    1. Hans 1

      Re: Trust....

      Great show, great phone, I want ;-)

      https://www.youtube.com/watch?v=KuNB4ocZDXA

  17. Anonymous Coward
    Anonymous Coward

    nation's spies keen to pry into the lives of persons of interest

    ALL citizens (and non-citizens) are "persons of interest" for nations' spies therefore [Monty Python, what weighs the same as a witch?] how can we scale it up and make it a "bespoke solution for all law enforcement agencies around the world"? And DON'T TELL ME IT'S IMPOSSIBLE, I'm your boss and you're just app developers!

  18. MrXavia
    Big Brother

    OS level security?

    The fact this exploit worked on all 3 major (well 2 major one minor) phone operating systems is quite worrying.

    Surely they all have differing underlying architecture, and all are supposed to prevent unauthorised app installations (iOS especially) So how can one app allow unauthorised software to run on all 3?

    This is very very unsettling! I would certainly like to know exactly how a buffer overflow can cause this! I I am familiar with what a buffer overflow is, but I was under the (obviously mistaken) impression Android/iOS ran Apps in some kind of sandbox to prevent this kind of attack.

    1. Anonymous Coward
      Anonymous Coward

      Re: OS level security?

      A sandbox may contain an attack inside the sandbox - but once you got control of the sandboxed app you can try to use other techniques to escape the sandbox. Still, if the sanboxed apps has broad privileges to access other data outside the sandbox (and whatever is written to slurp your life will ask for them...), once it has been compromised and under the attacker control, it can be used to slurp those data for you too. You don't "install" anything - you modify the installed app behaviour.

      Depending on what the app was written, and how much code is shared among the platforms the actual exploit could be the same or could require different code - still it's not difficult for someone with enough resources (and profit) to develop it for all of them.

    2. monty75

      Re: OS level security?

      Possible that the WhatsApp vulnerability is being used to deliver one or more other zero days the spyware company is sitting on or, more likely, there's some muddled up reporting going on.

    3. sal II

      Re: OS level security?

      I don't think the vulnerability is used to install a malware etc. From what I gather it simply allows the attacker control over the already installed malware (WhatsApp) which already have permissions to microphone, camera, photos etc.

      1. Wilseus

        Re: OS level security?

        "I don't think the vulnerability is used to install a malware etc. From what I gather it simply allows the attacker control over the already installed malware (WhatsApp) which already have permissions to microphone, camera, photos etc."

        I was wondering this too, thanks.

    4. doublelayer Silver badge

      Re: OS level security?

      It doesn't seem that it is escaping the sandbox at all. Unfortunately, from within WhatsApp's sandbox, the malware can access contacts, call history, microphone, and camera* because of videocalls. That's enough to compromise the user of the device quite a bit, even if it doesn't let you read email, browser history, or other types of data on the phone.

      *If the videocall or voice call function has never been used on an IOS device, this exploit shouldn't allow those to be taken because the permission has not been granted. This distinction does not apply to android, and if a voice or video call was ever used, it wouldn't apply to IOS either.

  19. Ben 21

    Latest version on iOS AppStore still isn't fixed

    I just updated my iphone, but the version i got is still vulnerable v2.19.50. Is this just me? Or is everyone updating to a still-vulnerable version?

    Check the CVE here https://www.facebook.com/security/advisories/cve-2019-3568, and check what version you actually have.

    1. tim 13

      Re: Latest version on iOS AppStore still isn't fixed

      Same here. It said it had updated yesterday and was on 2.19.50, but I've just done an update but still has the same number.

    2. jms222

      Re: Latest version on iOS AppStore still isn't fixed

      I updated to 2.19.134 on Android this morning which is good according to https://www.facebook.com/security/advisories/cve-2019-3568 .

      I'd like to understand what is meant by buffer overflow given that it's surely under a JVM (or Google's equivalent) at least for Android.

    3. Ben 21

      Re: Latest version on iOS AppStore still isn't fixed

      Ok, the latest version is there, but it's not in the iOS "Updates" tab.

      Instead search for WhatsApp as if you're installing it for the first time. Then you'll see the newer version 2.19.51, and can update.

      It looks like Apple need to improve the AppStore for getting urgent fixes out. How many people updated WhatsApp in the AppStore and assumed everything is ok when they still had the vulnerable version?

      1. jbuk1

        Re: Latest version on iOS AppStore still isn't fixed

        You need to pull down to updates your updates tab.

  20. roblightbody

    Trapped

    I feel trapped by the Facebook world, and its not a good feeling. I can't be the only one.

    I don't have the facebook app on my phone - never have - but I've found that I can't avoid using WhatsApp - and it needs to be on a phone to function - as too many other people rely on it - that's just a fact.

    Also for Facebook, its many people's entire online world - they seem to not even venture to "old fashioned" websites any more - its just facebook. So its difficult to avoid too. I log into facebook occasionally (using Firefox's Facebook container plugin) and discover people have sent me messages on it and expected a reply days ago...

    1. Jess

      Re: Trapped

      Keep separate phones for work and personal?

      Use Telegram for personal messages. (And that can be installed on a work phone with the personal number, meaning only one phone is needed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Trapped

        Telegram's own homebrewed encryption is apparently regarded with some suspicion by those that know about these things. Signal seems to have a better reputation all round.

        1. Jess

          Re: Trapped

          The thing that makes telegram win for me, is that it doesn't require a smartphone, just a mobile able to receive texts.

          Signal and Viber need a master smartphone installation, and whatsapp requires that and the phone running.

          I'm more worried about the trustworthiness of facebook, rather than the encryption potentially being weaker.

    2. Anonymous Coward
      Anonymous Coward

      Re: Trapped

      "but I've found that I can't avoid using WhatsApp - and it needs to be on a phone to function - as too many other people rely on it - that's just a fact."

      It's not a fact. it's your choice. If you really care about privacy, just exclude Facebook from your life. I have done so, I never had Facebook, I don't want Instagram, and if anyone really wants to contact me, use Hangouts or SMS, or Email, or a real phone, or talk to me in the pub etc etc...

      It's really not that hard, you just ned to get over thinking you are missing out....

      1. CountCadaver Silver badge

        Re: Trapped

        Too right, all too many don't get that if someone is REALLY your friend, they will a) pickup the phone b) send a text message, c) send an email or shock of shocks d) VISIT in person....

        I got rid of facebook a while back, my sense of "zen" is much enhanced since without exposure to the mental vomiting of others.....

    3. Stork Silver badge

      Re: Trapped

      To be honest, that some companies' full web presence is Facebook is scary

      1. A.P. Veening Silver badge

        Re: Trapped

        In the case of Facebook it is only natural.

    4. werdsmith Silver badge

      Re: Trapped

      Banished Faecebook completely. Don’t use it or whatscrap. Never looked back, if anything communication upgrades to genuine communication and I don’t miss any of that chavware at all.

    5. MrBanana

      Re: Trapped

      To me that reads:

      "...but I've found that I can't avoid using heroin"

      Just stop. Get help if you need to. I saw trouble ahead when the Facebook and its ilk first arrived. I never signed up, and from what I see around me - heads buried into their phones, thumbs furiously tapping - I'm happy to keep it that way. Whenever someone want's me to use WhatsApp I send them an invite for Signal.

    6. Anonymous Coward
      FAIL

      Needs to be on a phone to function? WTF???

      I don't have it installed, never have had it installed, and have never had anyone suggest I should be on WhatsApp. When I text iPhone owners they get an iMessage, when I text Android owners they get an SMS/MMS. When I call either it places a call over the cell network.

      Where's the incentive, let alone the NEED for me to have WhatsApp? What would I be able to do if I had it, when I can already text or call everyone as it is?

      1. werdsmith Silver badge

        Re: Needs to be on a phone to function? WTF???

        A problem with messaging is the assorted silos.

        I should be able to message anyone with any app using whichever app I prefer. A unified messaging protocol that all the apps support.

        It's 2019 and some people need to keep several messaging apps so that they can message their contacts depending on their preferred whatever.

        Old tech like SMS and email are app agnostic. Seems we have regressed, dragged down by greed.

        1. Anonymous Coward
          Anonymous Coward

          Re: Needs to be on a phone to function? WTF???

          It is only a problem if people buy into it by choosing a silo that doesn't have a fallback option. iMessage doesn't cause problems for Android owners because integrated into it is SMS/MMS so I don't need to care whether they have iMessage or not to message them and they can message me without knowing or caring that I have an iPhone.

          AFAIK none of the other messaging apps integrate an SMS/MMS fallback, so if you want to use Whatsapp, Signal, Facebook Messenger etc. you need to convince me to get that app too. Good luck with that.

          1. Anonymous Coward
            Anonymous Coward

            Re: Needs to be on a phone to function? WTF???

            "iMessage doesn't cause problems for Android owners because integrated into it is SMS/MMS so I don't need to care whether they have iMessage"

            --

            Of course, if it automatically switches to SMS you lose encryption and privacy.

            Better to just fail.

            And Apple has been known to do stupid things like roll their own crypto libraries with built in vulnerabilites rather than using a common, debugged library. Yes, I know this is not the encryption used by Signal, but it is indiciative of bad security practices that may leave the device vulnerable.

            Better to stay off Apple gear, and use an application that will fail with error messages if the software at the other end is not compatible.

            With protocol agnostic or common protocol applications you have no idea how secure the application at the other end may be.

            If it's the same application by design, then you can at least evaluate it and have some confidence of end to end security.

            1. werdsmith Silver badge

              Re: Needs to be on a phone to function? WTF???

              "Of course, if it automatically switches to SMS you lose encryption and privacy.

              Better to just fail."

              Can we just stop and remember what this Register article is about again?

              Fail indeed.

      2. Cynical user

        Re: Needs to be on a phone to function? WTF???

        Much sympathy with this.. WhatsApp is great for two things..

        1: Exchanging texts with international contacts, avoiding international charges for both parties.

        2: Exhchanging photos and videos - mobile plans include unlimited texts, but charge per message for anything else.

        But for everything else... there's this great thing called "text messages" and "phone calls"

      3. Jess

        Re: Needs to be on a phone to function? WTF???

        iMessage replaces MMS and works internationally and doesn't require a text package (at both ends).

        But you can use alternatives to whatsapp.

    7. anoco

      Re: Trapped

      (*The following is a non sarcastic comment.*)

      I understand why you feel trapped, even though I don't use whatsapp or have facebook on my phone. There's a study out about facebook and peer pressure and it doesn't look good.

      But so that you know, from someone that has crossed that river a few decades ago, it is OK not to do the same thing that everybody else does. In other words, its' ok to be weird. Not too weird, but just different than everybody else. As matter of fact, different people are more interesting, again, just not TOO different.

      My kids, grandkids, nephews and nieces think I'm weird for not using an iphone, whatsapp, or even banking and facebook on my phone. Even though I taught them all how to use a computer. But time and time again I feel good for not being influenced by my "peer" pressure. It's a crazy world today and very difficult to navigate. Choice is being eroded by all sides and you have to be very confident on your decision making to resist the pressure. (*insert a grandad's joke here*)

    8. Anonymous Coward
      Anonymous Coward

      Re: Trapped

      My security plan was this. Several years ago I installed Signal and established connections to some key acquaintances and with Signal’s most secure - timed msg erasure, only using their servers even if a tad slower, and switching off iOS “recent messages” (also installed Threema but that seldom used,) picked a good paid VPN with no logging in a jurisdiction far, far away, then a year ago dumped FB. After 6 months, reinstalled (never at anytime FB messager or Whatapp) limited strictly with all their restrictions switched on and my restrictions of 20 “friends” mostly distant and *sigh* network sloppy relatives with no other way they can be reached. Security hygiene is so important nowadays and many users are asleep at wheel and like it that way.

  21. Amentheist
    Joke

    Oh noo

    And the NSA /just/ announced they're mass surveillance programme..

  22. N2
    WTF?

    Considering the severity of the issue

    There is absolutely fucking nothing regarding the matter on their website

    Or is it everyone else's job to sort out the mess?

  23. Anonymous Coward
    Anonymous Coward

    So this is only one hack we _know_ (found out) about.

    The dangerous ones are not the ones you watch; the Really dangerous ones are the ones you Know you can Trust.

    And, just to re-iterate the point raised by an earlier comment: if most of the engineers use(d) Watsapp...

    Google : "Ken Thompson Hack"

    1. IanTP
      Black Helicopters

      I don't normally reply to AC's but you would like me to type a phrase into google and presumably click on the top link?

      You are GCHQ and I claim my £5!

      Icon because, obvs.

  24. hc289

    How do I know?

    How do I know if I'm already infected? All the articles on this focus on prevention (updating) but what if I'm already compromised?

    1. doublelayer Silver badge

      Re: How do I know?

      You can't really detect that. However, if you kill the app, which will happen automatically if you install the update, it will kill any compromised sessions and prevent new ones from starting. You would not know whether you have been attacked or, if you were, what if any data was extracted. There is no log of this from the application itself, as any logs could be written by the malware.

    2. Anonymous Coward
      Anonymous Coward

      Re: How do I know?

      If you are worried you could try a factory reset on your phone. Maybe half an hour of inconvenience.

  25. batfink

    Of course this couldn't affect national security

    It's a good thing that our UK politicians don't use WhatsApp for all their private plotting/machinations/etc. And I'm sure that they wouldn't ever use it to discuss matters of national security.

    Oh wait...

    Well at least on the plus side, Gavin Williamson now has another line he can use to claim that he wasn't a leaker.

  26. Anonymous Coward
    Anonymous Coward

    Computer security, hahaha, no such thing, only levels of insecurity.

  27. Anonymous Coward
    Anonymous Coward

    Facebook backdoor

    I think someone may have discovered the Facebook backdoor that they put into Whatsapp.

  28. Uplink

    Removing the infection

    The article doesn't even touch on how to remove the infection, so while I'm not a security expert by any means, I'll wager an educated guess*:

    - Option 1: If it's just in-memory, open the task manager and swipe WhatsApp away, or reboot your phone.

    - Option 2: If it does save a patch to the binary and it's not caught by integrity checks, just update it from Google Play, because the sandbox will be cleaned and replaced, wiping the malware in the processes.

    How did I do? Am I even close?

    * I'm making an ass of u and me here, hoping they didn't find a privilege escalation bug in Android itself to break out of the sandbox and persist a rootkit.

    1. doublelayer Silver badge

      Re: Removing the infection

      You are correct in both cases. I'm not sure if android allows it, but you can't modify binaries in place on IOS, so killing the app will close any connections. Updating will help too. Not using what's app is similarly effective.

  29. Jove Bronze badge

    Oh Dear ...

    Facebook losing it's monopoly over rifling our data.

  30. Anonymous Coward
    Anonymous Coward

    What about Signal

    Is Signal also vunerable? I though What's App was forked from it.

    1. doublelayer Silver badge

      Re: What about Signal

      Signal is not vulnerable to this, but could conceivably have a similar bug. It is open source, so that bug is more likely to be detected if introduced. What's app was not forked from signal (in fact it existed years earlier), nor was signal in any way forked. They're just two apps that look kind of similar. All the infrastructure, people involved, and app code is entirely different.

      1. Anonymous Coward
        Anonymous Coward

        Re: What about Signal

        "Open source" is meaningless when you are installing a binary that may or may not have been compiled from that same source you can view. That might give you some comfort that Signal does not include an accidental buffer overflow (unless you missed it) but are you 100% confident that Signal does not include a DELIBERATE buffer overflow in the binary versions that isn't present in the source you can download.

        If you are 100% confident, you are naive - it would be simple for someone to introduce into the build system by a third party if they were hacked, or placed there deliberately by the owners or by a compromised member of the build team.

        1. doublelayer Silver badge

          Re: What about Signal

          If that's the paramount problem for you, you can take that source and compile it yourself. But that's not really that concerning, because the risk of someone maliciously compiling a different binary and somehow getting it to you is less than someone finding a bug in existing code. The latter is much easier and more likely to occur. The former requires that signal themselves do that, or maybe that Google does so (you have things like FDroid, though), and that could be detected without much difficulty. So my point, that it is easier to audit the code if you can read it, still stands and your objections as stated are largely irrelevant.

      2. Anonymous Coward
        Anonymous Coward

        Re: What about Signal

        But at a later date WhatsApp then started to use Signal’s encryption code, so what was probably being asked was whether the vulnerability was in the encryption code or in another part of the app. If in the encryption code, would this not potentially make Signal similarly vulnerable?

  31. Anonymous Coward
    Anonymous Coward

    Anyone know who specifically was targeted? UK based human rights lawyer is a bit vague

    1. Anonymous Coward
      Anonymous Coward

      From the Guardian: "The [UK based] lawyer, who was not identified by name [by the Financial Times], is involved in a lawsuit against NSO brought by a group of Mexican journalists, government critics and a Saudi Arabian dissident."

  32. anthonyhegedus Silver badge

    What about phones that have already been hacked? How do you make sure they're clean of spyware? Asking for a friend

    1. Anonymous Coward
      Anonymous Coward

      Nuke it from space. Only way to be sure.

  33. andy 103

    avoid any user interaction

    "to avoid any user interaction to achieve an automatic, silent infection."

    That's the key, and very frightening. Users assume that they will get some sort of UI notification if anything they don't want/expect to be happening, is happening.

    It's scary to know how much stuff goes on in the background without users knowledge at all even with "legitimate" apps that the user has knowingly installed. A case in point is people suggesting they have seen adverts for products they have talked about. A possibility that their phone mic is being used to stream and analyse that data?

    The devices people have are capable of so much, yet they are usually unable to conceive the idea that unless they are being told something is explicitly happening, it won't happen to them.

  34. David Nash Silver badge

    when did they fix it?

    The article says they rolled out a fix on Monday, however my Android WhatsApp says it's the latest version (2.19.134), no update is available, and last updated 10/5/2019, ie before Monday.

    1. shellsforsale

      Re: when did they fix it?

      The issue affects WhatsApp for Android prior to v2.19.134

  35. jbuk1

    Isn't it interesting that the version history for 2.19.51 (the emergency release to fix the issue) in the ios app store reads "You can now see stickers in full size..."

    Absolutely nothing about fixing a critical bug or that you should upgrade to this version as a matter of urgency.

  36. Anonymous Coward
    Anonymous Coward

    And the infected ones are...

    So, we have some significant question here.

    How do one know if has been a victim of the vulnerability? How do one know if his phone is spied on? Can a regular antivirus on phone detect the NSO spyware (I think not)? Can the user still trust the privacy of your phone?

    Because no one knows for how much time this vulnerability is being exploited, nor the number of phones affected. Could be a mass infection, some governments would love that.

    For me, in a perfect world, WhatsApp taking responsibility on this flaw would mean giving its users the tools to tell if they're infected or not.

  37. Boris the Cockroach Silver badge

    refused whatsapp

    when friends said "use whatsapp to talk to us"

    Looked at the access the app wanted

    Mic

    Speaker

    Camera(these are understandable)

    gallery

    contacts

    contacts history

    etc etc

    In other words... upload the contents of your phone to FB for them to look through and steal the juicy bits worth money.

    A big fat NOPE appeared in front of me.... hence only trusted friends get my mobile number

    Oh and a buffer overflow attack???? hell clock cycles are cheap... do the check as the buffer fills guys... sheesh

  38. elvisimprsntr

    FB != security | privacy

  39. Anonymous Coward
    Anonymous Coward

    Oh, look.

    Oh, look. A security breach involving Facebook. It must be a day that ends in -day.

  40. raving angry loony

    Hypocrisy

    USA/UK and others when a group that isn't purely pro-corporate hacks software: HANG THEM HIGH!

    USA/UK and others when a group that's totally pro-corporate, almost fascist hacks software: Nothing to see here, move along.

    1. ROC
      Big Brother

      Re: Hypocrisy

      In RED China, co-opt all businesses by law to be subservient to state "interests". Nice and simple, eh?

  41. Anonymous Coward
    Big Brother

    WhatsApp mobile spyware?

    a. Does this buffer overflow work across all platforms?

    b. Why didn't the security team at WhatsApp pick this up in the testing phase?

    c. They do actually test the device for security vulnerabilities?

  42. Matthew Anderson

    So NSO are denying all responsibility by claiming they do not use the technology themselves but simply design it and sell it to government agencies, what is done with the software after that is not of their knowledge nor responsibility.

    Did several countries not create new malware laws covering just that eventuality, so that software authors could not claim their code was a security utility despite its targeted/intended audience?

    The Reg tagline of biting the hand that feeds IT comes to mind there. Surely the NSO are in breach of the updated laws and should be held accountable no?

  43. Nifty Silver badge

    On the IOS app store at this moment: A version 2.19.51 update for Whatsapp.

    Description: "You can now see stickers in full size when you long press a notification".

    So, Whatsapp knew about this vulnerability? That's meant to be the patched version.

    Also the malware practically sounds as if it's got root access ("can alter your call logs"). What's to prevent it faking the update process when you do it and how do you know the malware is gone?

  44. Nano nano

    plain sight

    Given that WhatsApp has been run by FB for ages now, and that buffer overflows are classic exploits, it seems odd that this was not found sooner, with tools like Coverity etc around.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like