Facebook-owned WhatsApp is today advising its 1.5 billion global users to immediately update or re-install, after a suspected surveillance operation successfully exploited a major vulnerability.
As reported in the Financial Times and BBC, Israeli security firm NSO Group – described as an ‘advanced cyber actor’, was able to use the popular messaging app to install spyware on the phones of human rights lawyers and campaigners to eavesdrop on their communications.
WhatsApp is no stranger to cybersecurity issues. Back in 2014, a security researcher identified a fundamental security flaw which enabled him to upload a user’s chat database to a third-party server.
What’s different about this hack is that phones were infected with zero clicks – e.g. without the user taking any action (for example, by mistakenly clicking a link in a WhatsApp text message). It involved using the app’s voice function to ring a target’s phone.
Even if no one picked up, the malware would still be installed and the call would then be deleted from the device’s call log.
In an advisory for security specialists, WhatsApp said the flaw was a ‘buffer overflow vulnerability in VoIP (voice over internet protocol) which allowed remote code execution via specially crafted series of packets sent to a target phone number.’
In other words, when WhatsApp’s voice call function accepted the bad incoming call, infected data packets containing software code were hidden in the internet connection between the caller and recipient devices.
Simply ringing the target phone was enough to open a small door for malware to be installed – allowing the hacker to take control of key device functions like camera, microphone; and data such as call logs, messages, and location information.
Zero click exploits are here
Mobile security firm Lookout has been warning since January that a number of ‘state-funded actors’ were claiming they had perfected a zero-click infection capability for smart phones using a variety of tactics, from infected iMessages in Apple iOS to exploits in WhatsApp and Android MediaServer.
Another study in January found vulnerabilities in a WiFi chipset commonly used in laptops, gaming, media streaming, and some smart home devices could be used to compromise them without any action being taken the end user.
As a method of attack zero click is particularly insidious and difficult to defend against.
It sidesteps the growing awareness of phishing emails and infected attachments as a vector of attack by simply infecting devices when they connect automatically to the internet, when a text message is read, or when one communications app connects to one another using voice over IP (VoIP).
WhatsApp is well-known for the strong encryption it applies to all communications between users, but that’s little comfort when malware can be installed in the technical ‘handshake’ that occurs when an incoming call is accepted.
Exploited mobile apps — the gift that keeps on giving
Exploits relying on zero-click require a high degree of sophistication and large budgets, so for now their use is likely to be limited and highly targeted.
Still, in cybersecurity terms, mobile apps are special. They can be used to steal data, eavesdrop on private communications, or enable hackers to enter corporate networks. Cybercriminals see them as a prime vector of attack and work continually to find new exploits, or create bogus aps which are little more than delivery mechanisms for malware.
WhiteHat Security performed a series of security tests against in 2017 and found that 90 percent of Android apps had serious vulnerabilities that would allow sensitive data to be exposed.
Apple’s iOS fared better, but still fell short with 30 per cent of apps having security flaws.
What can I do?
A survey by Kaspersky Labs suggests just 43 percent of iPhone users have installed a security application, and just 53 per cent of Android users.
As a first step in better securing smartphones and mobile apps, installing and updating a leading app like Lookout, Sophos or Kaspersky that continually monitor devices for malware and ensure that mobile internet connections are secure, is essential.
Along with that there are other steps you can take to ward off hackers and protect important data. Some of these will impact convenience, but they will help you stay aware of what’s happening on your devices and make good decisions ‘in the moment’:
- Only install apps found on official application stores
- Look and read each time your phone prompts you with a permission request for an app
- Use each app’s native security features like password protection and secure connections
- Update operating system and mobile applications to the latest version as soon as prompted
- Don’t open or download files from unknown sources
- Don’t click links from suspicious senders
- Don’t ‘jailbreak’ devices to get around built-in controls and restrictions
- Switch off automatic WiFi or Bluetooth connections
- Use encryption features for any sensitive data stored on your phone
- Back up important data and test the recovery procedures
Want to learn more about empowering employees and raise awareness of mobile app security? Sign up for a free demo and find out how we’re already helping organisations just like yours.