Get Started

Best Parental Control Solution for Your Family Devices

Start Free Trial

What’s Up With WhatsApp? - Security Woes & More

PRITHIV on May 24, 2019

Whatsapp Logo

NOTE: BEFORE READING THIS ARTICLE, PLEASE UPDATE WHATSAPP. WE’LL WAIT!

Given WhatsApp’s much vaunted end-to-end encryption one might assume that it’s a reasonably safe platform to share private information on. Other than choosing the recipient of the communication carefully, it has always appeared that there’s not much risk of leaks when using this direct messaging service to keep in touch - or to share our live location, our innermost thoughts, even occasionally our financial information.

However, with latest news coming out of Israel, we now understand that WhatsApp’s encryption is not a guarantee against lapses.

First reported by The Financial Times, a surveillance software was inserted on targeted smartphones through a vulnerability on WhatsApp calls. The hack, the British newspaper reported, would allow the hacker to work around WhatsApp’s encryption and read messages.

On Sunday, a UK-based human rights lawyer was allegedly attacked by Pegasus (a spyware) and repulsed by WhatsApp. However, it is unclear how many, if any, other WhatsApp users were successfully attacked by Pegasus. According to the BBC, WhatsApp has acknowledged that the hack occurred and that a ‘select number of users’ were targeted. “Once installed, the spyware can turn on a phone’s camera and mic, scan emails and messages, and collect the user’s location data,” according to The Verge.

With a single WhatsApp call, the spyware can be installed without a trace. What makes it worse is that the spyware can be installed even if the target does not answer the call. More disturbingly, the missed call often disappears from the call logs. As a result, the victim may not know that they were targeted at all.

The Financial Times added that: “Within minutes of the missed call, the phone starts revealing its encrypted content, mirrored on a computer screen halfway across the world. It then transmits back the most intimate details such as private messages or location, and even turns on the camera and microphone to live-stream meetings.”

Hackers infiltrated a still unknown number of phones using a malicious spyware called Pegasus. This code, once installed, can pretty much access any information on your phone, encrypted or otherwise. Pegasus is used to gain remote access to smartphones, and has been used by governments to snoop on journalists. According to WhatsApp: “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.” This is typically expected to imply the NSO Group, the company that developed Pegasus in the first place. Though the NSO Group claims to sell spyware to governments to help fight crime and terror, the most charitable reading must admit that its spyware lends itself to abuse by governments of questionable morality. 

The NSO Group has largely operated under the radar before 2016. While they have built up a formidable reputation on the back of their ability to break through Apple’s rigorous privacy and security measures, last week’s attack shows that WhatsApp is a new target. “We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society,” WhatsApp said in a statement.

This was a zero-day vulnerability (discovered by developers after the attack, resulting in zero days to fix the issue). WhatsApp has already resolved the issue with the latest version rolled out, and urges its users around the world to update their apps.

The BBC reported that “journalists, lawyers, activists and human rights defenders”, most specifically human rights lawyers, were the most likely targets of this weekend’s attack. However, all WhatsApp users who are not using the latest version of the app could be vulnerable. Please therefore update your app today.

This particular hack has, in all probability, not impacted your phone (unless you are a human rights activist, politician, journalist or lawyer). This attack seems to have targeted major players around the world. However, the attack has revealed vulnerabilities in WhatsApp's systems.

If you are still using any of these versions of WhatsApp, please update right away to the latest version.

  • WhatsApp for Android prior to v2.19.134

  • WhatsApp Business for Android prior to v2.19.44

  • WhatsApp for iOS prior to v2.19.51

  • WhatsApp Business for iOS prior to v2.19.51

  • WhatsApp for Windows Phone prior to v2.18.348

  • WhatsApp for Tizen prior to v2.18.15

Malware of any kind is dangerous to all of us. Keep yourself up-to-date and informed, and take all due action to protect your data and your privacy. Stay safe!

 

Writing credit: Authored by Prithiv, a Mobicip researcher who writes about the effects of technology on health and well-being.

Keep in touch with the latest on parenting, technology and education. Subscribe to the Mobicip newsletter. Learn more at www.mobicip.com.

Recent Blogs

How Apple's AirDrop Feature Can be Misused For Cyber Flashing

Cyber flashing is when an explicit or inappropriate media file is sent to your phone anonymously and without your permission. This is most common with iPhone users, using an application called AirDrop, which allows anyone within 30 feet of them to send images and other media files as long as their A

HTTPS Sites Not Loading For Existing Chromebook Users

Existing Chromebook users will not be able to access HTTPS sites after 3:00 a.m. EST on October 24, 2019 because the previous Mobicip CA certificate has expired. Instead they will see one of the webpages below appear on their browser. Please do not be alarmed by these warning messages. To resolve th

The Mail App is Not Working on iOS 13

Ever since iOS 13 released a few weeks back, several Apple users have complained that the Mail app doesn't seem to load/display new emails. This has been specifically observed in devices that have a global proxy or VPN set up to filter content.Here's a post on the Apple Developer Forum that provides

How to Keep Your Kids Safe Online With #ScrollFreeSeptember & #DigitalSunset

Modernization has seen the rapid advancement of accessibility to a growing internet. Today, the internet is easily accessed via smartphones and kids are exposed to it at a very young age. Since kids and teenagers are easily influenced demographics, there’s a lot of concern about how the junk on the

Science-backed Benefits of Replacing Screen Time with Free Play

For modern parents, one of the most vexing questions is the matter of screen time. How much is too much? And if your kids are getting too much, how do you cut down without sparking fights?If you don't want your kid thinking of you as an ogre who's constantly blocking them from screen time, it's impo