WhatsApp fixes a critical vulnerability that let attackers install spyware on phones

• The serious buffer overflow vulnerability lied in the audio call feature of WhatsApp.
• The bug is patched in all the major mobile platforms on which WhatsApp is officially available.

Popular instant messenger WhatsApp was discovered having a serious security hole in the application. A buffer overflow vulnerability in WhatsApp could have allowed attackers to install spyware on mobiles. It was reported that the spyware could be installed through a WhatsApp audio call made to victims, regardless of whether they answered the call or not.

The vulnerability was actually identified by WhatsApp in the first week of May but it took a few days to work on this issue. The Facebook-owned company has disclosed the details of this vulnerability in a security advisory.

What is the vulnerability?

• According to the advisory published this month, the bug, designated as CVE-2019-3568, is a buffer overflow vulnerability existing in WhatsApp VOIP stack that allowed remote code execution(RCE). RCE could be carried out using a specially crafted series of SRTCP packets sent to victims having WhatsApp.
• The bug is reportedly patched in WhatsApp versions v2.19.134 (Android), v2.19.51 (iOS), v2.18.348 (Windows Phone) and v2.18.15 (Tizen).
• WhatsApp Business was also affected by this vulnerability. However, it has been patched in versions v2.19.44 (Android) and v2.19.51 (iOS). Users are advised to update to the latest version using their respective app store.

Pegasus spyware suspected

In a statement to The Financial Times, WhatsApp actually told that a private company was abusing this vulnerability to conduct cyber espionage. “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society,” said WhatsApp.

It is speculated that the Pegasus spyware, created by the NSO group, was largely exploiting this vulnerability.