WhatsApp on Tuesday urged users to upgrade the application to plug a security hole that allowed for the injection of sophisticated malware that could be used to spy on journalists, activists and others. Facebook-owned WhatsApp said it released an update to fix the vulnerability in messaging app used by 1.5 billion people around the world. “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a company statement said. The WhatsApp spyware is sophisticated and “would be available to only advanced and highly motivated actors,” the company said, adding that a “select number of users were targeted.”
“This attack has all the hallmarks of a private company that works with a number of governments around the world” according to initial investigations, it added, but did not name the firm. The spyware appears to be related to the Pegasus software developed by Israeli-based NSO group, which is normally sold to law enforcement and intelligence services, according to Washington-based analyst Joseph Hall. The spyware “could have gotten into someone’s hands” outside legitimate channels for nefarious purposes, Hall, chief technologist at the Center for Democracy and Technology, told AFP.”It’s unclear who is doing this.”
– Big risks –
Hall said the unpatched security flaw opens the door to spying by rogue entities on human rights activists, journalists and others. “The potential danger is quite large,” he said. “These kinds of apps that do encrypted messaging and encrypted phone calls tend to store the most secretive data that people need to protect.” He said dissidents and pro-democracy activists seeking to remain anonymous rely on these encrypted applications, as do journalists when speaking with sources about sensitive information.
The latest scam — which impacts Android devices and Apple’s iPhones, among others — was discovered earlier this month and WhatsApp scrambled to fix it, rolling out an update in less than 10 days. The firm did not comment on the number of users affected or who targeted them, and said it had reported the matter to US authorities. It also informed EU authorities in Ireland about the “serious security vulnerability,” according to a statement by the country’s Data Protection Commission (DPC).
“The DPC is actively engaging with WhatsApp Ireland to determine if and to what extent any WhatsApp EU user data has been affected,” it said. The revelation is the latest in a series of issues troubling WhatsApp’s parent Facebook, which has faced intense criticism for allowing users’ data to be harvested by research companies and over its slow response to Russia using the platform as a means to spread disinformation during the 2016 US election campaign.