This is how attackers were able to spread spyware through WhatsApp with just a phone call
- A recently fixed vulnerability in WhatsApp allowed attackers to spread spyware to mobile devices with just a phone call.
- The attackers exploited a vulnerability known as buffer overflow, a type of exploit that has existed for decades.
- Visit Business Insider's homepage for more stories.
Earlier this week, it was reported that a vulnerability in Facebook's popular WhatsApp messaging service made it possible for attackers to spread spyware to smartphones via phone calls made through the app.
To do so, hackers exploited what is known as a buffer-overflow vulnerability within WhatsApp, which the company said it quickly fixed and was first reported by the Financial Times. A buffer overflow is exactly what its name implies; it's an issue that can occur when an app is flooded with more data than it can store in its buffer, or temporary storage space.
"A buffer overflow occurs when a programming error allows more data to be written to a given area of memory than can actually be stored there," Rik Ferguson, the vice president of security research at the security-software firm Trend Micro, told Business Insider via email. "The extra data flows into adjacent storage, corrupting or overwriting the data previously held there, and can cause crashes, corruptions, or serve as an entry point for further intrusions."
See also: WhatsApp users are being urged to update the app immediately after it was hacked — here's how to protect yourself
In the case of the WhatsApp attack, intruders exploited the buffer overflow bug through the app's phone call function to inject spyware onto smartphones unknowingly, the Financial Times reported. The exploit would work even if the victim did not answer the call, the report said.
To understand how this is possible, it helps to know how WhatsApp's calling functionality works. Like many popular messaging apps, WhatsApp employs a widely used technology known as Voice over Internet Protocol (VoIP), which allows users to make and receive phone calls over the internet rather than through a standard telephone line.
When you receive a phone call through WhatsApp, the app sets up the VoIP transaction and the encryption that goes along with it, Ferguson said. It then notifies the user of the incoming call and prepares to either accept, decline, or ignore the call based on the user's input.
See also: Meet the shadowy security firm from Israel whose technology is believed to be at the heart of the massive WhatsApp hack
"It is my understanding that the buffer overflow exploit occurs during this phase, which is why the recipient does not need to answer the call to be successfully compromised," Ferguson said.
Buffer overflow vulnerabilities have existed for decades, even dating back to the famous Morris Worm from 1988, which is widely perceived as being one of the earliest iterations of the modern internet-spread virus. According to Ferguson, instances of buffer overflow exploits have been documented as far back as 1972, and programming languages such as C and C++ are particularly prone to them even today. "Finding them is difficult and successful exploitation even more complex, but attackers and researchers still regularly do so," he said.
The malicious code used in the WhatsApp attack was developed by Israeli firm NSO Group, which develops a product called Pegasus that can activate a smartphone's camera and microphone, the report said. The firm's software has been previously linked to attempts to manipulate devices belonging to activists. In 2016, for example, prominent human rights activist Ahmed Mansoor received a text message with a link that would have installed software from NSO Group on his phone, watchdog organisation Citizen Lab discovered.
WhatsApp hasn't said how many of the apps 1.5 billion users have been affected, but it's encouraging all users to upgrade to the latest version of the app.
Receive a single WhatsApp every morning with all our latest news: click here.
Also from Business Insider South Africa:
- Times are tough, but South Africans are still splurging on sports goods and manicures. These chains are booming.
- Uber riders in the US can now ask their drivers to be quiet directly from the app - but the function won't be available in South Africa
- A South African debt collector is coining it in Australia – where household debt has reached 199% of income
- Almost half of female legal professionals in South Africa say they have been sexually harassed – and 73% have been bullied
- These are the 10 biggest SA Twitter accounts right now