Log Out

Advertisement

WhatsApp rush to plug breach

Spyware injected into some devices using phone call function

By Our Special Correspondent in New Delhi

  • Published 15.05.19, 1:52 AM
  • Updated 15.05.19, 1:52 AM
“Spyware developed by the Israeli cyber surveillance company and could affect both Android and iPhones”
“Spyware developed by the Israeli cyber surveillance company and could affect both Android and iPhones” Picture by Shutterstock

WhatsApp, the popular social media app, scrambled to put out a patch to plug a scary flaw that enabled hackers to inject spyware on to smartphones that enabled them to read messages, see contacts and activate the camera.

The Facebook-owned company asked its 1.5 billion users worldwide to immediately upgrade to the latest version of the app to protect themselves from the malicious spyware that is believed to have been developed by a secretive Israeli spyware company called NSO Group.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesperson said.

“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users,” the spokesperson added.

The storm burst over the weekend after the London-based Financial Times reported that the vulnerability in

WhatsApp allowed attackers to inject spyware on phones by ringing up targets using the app’s phone call function.

It said the spyware was developed by the Israeli cyber surveillance company and could affect both Android and iPhones.

WhatsApp said the attack had all the hallmarks of a private company that works with governments to deliver spyware that can take over the functions of mobile phone operating systems.

“We are deeply concerned about the abuse of such capabilities. We have briefed a number of human rights organisations to share the information we can and to work with them to notify civil society,” the company said.

WhatsApp detected the bug on its platform that would allow malicious actors to install the spyware on a smartphone using a single WhatsApp call.

Even if a subscriber did not actually receive the call, the hackers could gain access to all the data on the phone including call logs, emails, messages and photos. The malicious call often disappears from the WhatsApp call logs. This means that a smartphone user had no way of knowing if she had received a suspicious call.

The versions of WhatsApp that have been affected by the issue include — WhatsApp for Android v2.19.134 and those that came before; WhatsApp Business for Android v2.19.44 and before; WhatsApp for iOS v2.19.51 and before; WhatsApp Business for iOS v2.19.51 and before; WhatsApp for Windows Phone v2.18.348 and before; and WhatsApp for Tizen v2.18.15 and before. WhatsApp discovered the bug earlier this month but did not immediately disclose it since it was working on an update to secure its servers until last Friday.

The security patch was offered to its customers on Monday.

The company did not disclose the number of people that may have been affected by the vulnerability. India has the largest base of WhatsApp users globally with well over 200 million users.

The company said it has launched an investigation into the matter, and has also provided information to US law enforcement agencies to help them conduct an investigation.

Several WhatsApp users were dismayed with the security breach to the social media app. Most worried that if an end-to-end encryption app like WhatsApp was so vulnerable, how secure were the other apps that they commonly download which do not boast of such high security features and firewalls.

Cyber law expert Pavan Duggal said: “The current laws related to cyber security are quite opaque and do not cover breach of privacy of individuals by private players. The law needs to be amended to bring private players and social media within the ambit of the Right to Privacy.”

In July last year, a high level panel headed by Justice B.N. Srikrishna submitted its report on the draft Personal Data Protection Bill 2018.

Since then, the government has faced a criticism from members of the business community and associations such as the Internet and Mobile Association of India, NASSCOM, and ecommerce companies like Amazon and Walmart over the provisions of the bill.

About Author

Advertisement