Attackers have been exploiting a vulnerability in WhatsApp that allowed them to infect phones with advanced spyware made by Israeli developer NSO Group, the Financial Times reported on Monday, citing the company and a spyware technology dealer.
A representative of WhatsApp, which is used by 1.5 billion people, told Ars that company researchers discovered the vulnerability earlier this month while they were making security improvements.
CVE-2019-3568, as the vulnerability has been indexed, is a buffer overflow vulnerability in the WhatsApp VOIP stack that allows remote code execution when specially crafted series of SRTCP packets are sent to a target phone number, according to this advisory.
According to the Financial Times, exploits worked by calling either a vulnerable iPhone or Android device using the WhatsApp calling function. Targets need not have answered a call, and the calls often disappeared from logs, the publication said. The WhatsApp representative said the vulnerability was fixed in updates released on Friday.
The exploits, according to the FT, were used to install spyware from NSO Group, maker of Pegasus, an advanced app that jailbreaks the mobile device so that it can trawl through private messages, activate the microphone and camera, and collect all kinds of other sensitive information. The FT, citing the unnamed spyware technology dealer, said that actor was NSO Group, which was recently valued at $1 billion in a leveraged buyout that involved the UK private equity fund Novalpina Capital.
The WhatsApp representative told Ars that a “‘select number of users were targeted through this vulnerability by an advanced cyber actor. The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.” The representative didn’t identify NSO Group by name.
Among the people who were targeted was a UK-based human rights lawyer whose phone was attacked on Sunday as WhatsApp was in the process of neutralizing the vulnerability. (That’s according to John Scott-Railton, a senior researcher at Toronto-based Citizen Lab, who spoke to Ars.) When the exploit failed, the lawyer’s phone was visited by a second, unsuccessful exploit, the Citizen Lab researcher said.
“Whoever at the company was in charge of monitoring their exploits was not doing a very good job,” Scott-Railton said. Failing to know ahead of time that the exploit had been fixed “suggests the group that is a commercial spyware company, was not doing a good job.”
Scott-Railton declined to name the UK lawyer but said he has represented Mexican journalists, government critics, and a Saudi dissident living in Canada in lawsuits against NSO Group. The legal actions allege NSO shares liability for any abuse of its software by customers.
In recent months, Scott-Railton said, NSO Group has said its spyware is only used against legitimate targets of law-enforcement groups. “If indeed this is NSO, the company in this case is clearly being used in a way that’s extremely reckless,” he said. “This [lawyer] is not anyone’s definition of a legitimate target.”
WhatsApp said the fix on Friday was made to the company’s servers and was aimed at preventing attacks from working. The company released a patch for end users on Monday. WhatsApp said it has also disclosed the incident to US law enforcement agencies to help them conduct an investigation. On Tuesday, NSO Group faces a challenge in Israeli court regarding its ability to export its software. The challenge comes from Amnesty International and other human rights groups.
Attempts to reach NSO Group weren’t immediately successful.