Hackers exploited critical flaw in WhatsApp to inject spyware into devices
Threats / Hackers exploited critical flaw in WhatsApp to inject spyware into devices
14 May 2019
A critical security vulnerability in WhatsApp allowed malicious actors to inject surveillance malware into users’ devices, the online messaging service has revealed, stating that the flaw impacted only a limited number of users.
The critical vulnerability was discovered earlier this month, following which Facebook informed the discovery to the US Department of Justice, human rights groups, and select security vendors. WhatsApp unveiled a security update on Friday to fix the flaw and advised all 1.5 billion of its users to install the update at the earliest.
“A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number,” said WhatsApp in an advisory to security specialists.
WhatsApp flaw exploited by advanced hackers to spy on targets
The Facebook-owned messaging service added that the security vulnerability was exploited by “an advanced cyber actor” to carry out surveillance of targeted entities but the company could not say for sure how many users were affected as a result of the exploitation.
Wai Man Yau, Vice President and General Manager International at Sonatype, said that the news that a vulnerability in WhatsApp has enabled hackers to inject spyware onto phones demonstrates why end-to-end encryption alone isn’t enough to deliver the privacy and security users expect.
“Without proper software hygiene, companies risk building vulnerabilities into their applications, which hackers are quickly able to exploit. And attackers are getting faster and smarter; the average time for a vulnerability to be exploited has shrunk from months to just a few days.
“It’s comforting to see that WhatsApp has acted so quickly to roll out a fix, but for a business that has hinged so much of its marketing strategy on its security capabilities, this attack will worry its customer base. The messaging app claims that it offers “security by default,” but for it to be genuinely secure – and GDPR compliant – it must also offer security by design, and ensure that it prioritises software security as much as its encryption capabilities,” he added.
Hackers may have installed Pegasus spyware on affected devices
It is believed that the surveillance software being installed by hackers on devices after exploiting the critical flaw in WhatsApp is nothing but Pegasus, a well-known piece of Spyware created by the Israel-based NSO Group which claims to only sell its surveillance products to governments.
Pegasus was discovered by security researchers over three years ago and is known to feature a number of surveillance capabilities that include capturing screenshots, keylogging, live audio capture, browser history exfiltration, email exfiltration from Android’s Native Email client, and exfiltration of contacts and text messages from devices.
According to researchers, Pegasus is also capable of exfiltrating messaging data from commonly-used applications such as WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao and can self-destruct if an antidote file exists in an infected device or if it has not been able to check in with the servers after 60 days of infiltration.
“Once deployed on the victim’s phone, Pegasus allows the attacker to access sensitive data from the device (contacts, SMS, emails, photos, etc.), to track location and to activate the microphone and the camera for remote monitoring.
“Since 2016, Pegasus has been identified on several thousand “high potential” target’s phones. These include CEOs and CFOs of major financial and industrial companies, but also devices owned by journalists or non-governmental organisations,” said Tom Davison, EMEA director at Lookout, the security firm that first discovered Pegasus in 2016.
Use of third-party components in software creating security holes
Adam Brown, manager of security solutions at Synopsys, said that the exploitation of a bug in WhatsApp software is possible because applications, including WhatsApp, use many third party components. WhatsApp has ‘libssh’ in its inventory as do many others. Because of a bug in the version of ‘libssh’ (an open source client side C library implementing the SSH2 protocol) attackers are able to run their code on the victim’s phone.
“Its best practice for software companies to know what’s in their bill of materials that make up their software, and to compare that with known vulnerable versions of software components. By doing so, this kind of vulnerability can be avoided,” he added.
This isn’t the first time that hackers have been able to breach security holes in WhatsApp software to spy on users or to deploy various types of malware. In January last year, Kaspersky Lab discovered that an Italian IT company named Skygofree created a malicious software that could exploit an accessibility feature in Android to read everything displayed on a screen, including content from popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp.
A year earlier, Tobias Boelter, a researcher at the University of California, discovered a security flaw in WhatsApp that enabled hackers to intercept messages sent using the service. He said WhatsApp could force the generation of new encryption keys for offline users, meaning the sender must re-encrypt undelivered messages with new keys and send them again.
The sender was only notified that this had happened after the messages were resent if they had encryption warnings turned on, and the recipient was not notified. This meant that if the recipient was offline when a message was sent, an attacker who could register the receiving number with the WhatsApp server could read the resent, re-encrypted message.
“The potential for governmental abuses from this misuse of encryption with WhatsApp is alarming. This is a serious vulnerability – WhatsApp needs to know how keys are protected in order to keep the global communications of over a billion users safe and private,” said Kevin Bocek, chief cyber security strategist at security firm Venafi.
“This potential gap in security is a reminder for businesses of the power of cryptographic keys and how a lack of knowledge regarding their use can have serious consequences. Systems need to be in place to protect and change keys quickly, as and when needed,” he added.