WhatsApp fix goes live after targeted attack on human rights lawyer

WhatsApp fix goes live after targeted attack on human rights lawyer

If you use WhatsApp, you’ll want to update both app and device as soon as possible due to a freshly-discovered exploit. The vulnerability was found in Google Android, Apple iOS, and Microsoft Windows Phone builds of the app.

Unlike many mobile attacks, potential victims aren’t required to install or click on anything—they may not even be aware something malicious has taken place.

This attack came to light after CitizenLab suspected a human rights lawyer was being targeted, and after observing, deduced that they were, but the attacks were blocked by the fixes WhatsApp put in place.

We should stress these are smart, high-level attacks and not typically rolled out to target random people. No need to start panicking. Just apply fixes as required, and go about your day.

What typically happens with a mobile attack?

A large portion of mobile attacks usually involve some form of social engineering. Mobile manufacturers insist customers use their own closed ecosystem store to lessen the risk of becoming infected by something out in the wild.

For example, iPhone users can only download apps from iTunes. And Android devices have installs from third parties or unknown sources switched off by default. This means if your child ends up on a fake Angry Birds website offering up a bogus installer, they won’t be able to install the app because the device won’t allow it (unless you switched off the default settings).

While bad files can and do lurk on official mobile stores, ignoring unknown source installs definitely helps keep infection numbers down.

This sounds like a non-typical mobile hijack

That would definitely be the case.

The WhatsApp team worked out that a simple missed call was all it took to inject commercial spyware into the device. The call, made using WhatsApp’s voice call function, would lead to the infection being installed on the phone silently. It appears all record of the call log would be scrubbed too, so the victim wouldn’t even be aware something was amiss.

This is similar to how malware on the desktop will often delete files after the event to remain as stealthy as possible. When this happens, it can take a long time before someone realises what’s up. When they do, it’s usually too late, and the attackers have already reached their chosen objective.

What is the impact?

Whether your mobile device is used for something important or you do little beyond making calls, this exploit could do some serious damage. The spyware can scan messages and emails, alongside grabbing location data. Even if you think malware on your phone isn’t a big deal because you don’t do anything important on it, the attackers have something for everyone. Namely, the ability to turn on a phone’s microphone and camera, access photos, contacts, and more.

Given the stealthy way the attack was attempted, it’s impressive that WhatsApp caught it as quickly as they did. Engineers at Facebook have been busy sorting this one out over the weekend.

Is there an advisory?

There sure is. Named CVE-2019-3568, the advisory reads as follows:

Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

Last Updated: 2019-05-13

What do we do now?

In a word, update. If your apps and devices are set to update automatically, you should be good to go. If not, go and update manually as soon as possible. As mentioned earlier, you probably shouldn’t worry about having been infected, as it seems to have been a carefully targeted attack. There’s an excellent chance you’re not on the radar.

In fact, if your updates aren’t set to automatic, your immediate concerns should be about more mundane security threats. Please consider switching to automatic and save yourself needless worries.

For more information on general mobile security, feel free to check out our guide to spotting mobile phishes, and some simple tips for good mobile hygiene. With that, plus Malwarebytes’ security apps for Android and iOS, you should be good to go.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.