On May 13, the Financial Times and other media reported that spyware created and marked by an Israeli technology firm, NSO Group, can exploit a security flaw in the popular messaging app WhatsApp “to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call.”
WhatsApp researchers reportedly found the flaw in early May, and identified the spyware as Pegasus, which NSO Group developed. Previously, according to Forbes, Pegasus was found to exploit iOS vulnerabilities and install on iPhones to acquire “all communications and locations of the targeted iPhones,” including “iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram and Skype communications,” as well as Wi-Fi passwords.
In a public statement responding to these reports, WhatsApp did not name NSO Group, but commented that “[t]his attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.” It also encouraged people “to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.” In addition, Facebook, which owns WhatsApp, posted details about the vulnerability for computing professionals.
Note: Given the reported sophistication of the spyware, Information-security teams at companies and government agencies should promptly circulate information about the WhatsApp vulnerability, including instructions on updating the app, to all employees. Chief Information Security Officers (CISOs) should also emphasize to senior executives the importance of promptly installing the updates, and advise them to inform CISO team members of any unusual occurrences with any mobile device on which the executives have installed WhatsApp.