Stories
Slash Boxes
Comments

SoylentNews is people

A WhatsApp Call Can Hack a Phone: Zero-Day Exploit Infects Mobiles with Spyware

posted by Fnord666 on Tuesday May 14 2019, @06:06PM   Printer-friendly
from the ring-ring-malware-calling dept.

martyb writes:

A WhatsApp Call Can Hack a Phone: Zero-Day Exploit Infects Mobiles with Spyware:

A security flaw in WhatsApp can be, and has been, exploited to inject spyware into victims' smartphones: all a snoop needs to do is make a booby-trapped voice call to a target's number, and they're in. The victim doesn't need to do a thing other than leave their phone on.

The Facebook-owned software suffers from a classic buffer overflow weakness. This means a successful hacker can hijack the application to run malicious code that pores over encrypted chats, eavesdrops on calls, turns on the microphone and camera, accesses photos, contacts, and other information on a handheld, and potentially further compromises the device. Call logs can be altered, too, to hide the method of infection.

To pull this off this intrusion, the attacker has to carefully manipulate packets of data sent during the process of starting a voice call with a victim; when these packets are received by the target's smartphone, an internal buffer within WhatsApp is forced to overflow, overwriting other parts of the app's memory and leading to the snoop commandeering the chat application.

Engineers at Facebook scrambled over the weekend to patch the hole, designated CVE-2019-3568, and freshly secured versions of WhatsApp were pushed out to users on Monday. If your phone offers to update WhatsApp for you, do it, or check for new versions manually. The vulnerability is present in the Google Android, Apple iOS, and Microsoft Windows Phone builds of the app, which is used by 1.5 billion people globally.

"A buffer overflow vulnerability in WhatsApp VoIP [voice over IP] stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number," said Facebook in an advisory on Monday.

"The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."

[...] Pegasus, once installed on a victim's device, can record phone calls, open messages, activate the phone's camera and microphone for further surveillance, and relay back location data. While NSO claims it carefully vets its customers, the malware has been found on the phones of journalists, human rights campaigners, lawyers, and others.

Also at: Ars Technica, Facebook.

Original Submission

 
This discussion has been archived. No new comments can be posted.
A WhatsApp Call Can Hack a Phone: Zero-Day Exploit Infects Mobiles with Spyware | Log In/Create an Account | Top | 15 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Tuesday May 14 2019, @06:46PM (2 children)

    by Anonymous Coward on Tuesday May 14 2019, @06:46PM (#843533)

    Well, at least this vulnerability can't be blamed on Facebook like all of the recent episodes of data "leakage". What? Facebook owns WhatsApp? Really? What are the chances?

  • (Score: 2) by ikanreed on Tuesday May 14 2019, @07:25PM (1 child)

    by ikanreed (3164) Subscriber Badge on Tuesday May 14 2019, @07:25PM (#843547) Journal

    You say that like other tech companies don't suck ass at basic security when it's at odds with making gobs of money.

    • (Score: 0) by Anonymous Coward on Tuesday May 14 2019, @07:33PM

      by Anonymous Coward on Tuesday May 14 2019, @07:33PM (#843551)

      Another AC here.

      This wasn't for making lots of money. It was a honeypot so that people around the world who have legitimate things to hide can be exposed.