Hackers have used a security bug inside WhatsApp to install spyware through an infected WhatsApp voice call, and Apple users are affected.
What you need to do
If you are one of the 1.5 billion people who use WhatsApp you should immediately update both your app and your iOS software to the latest version.
The app update includes fixes that should prevent hackers taking over your iPhone, while future Apple updates will also likely address these flaws.
What is the threat?
Israeli hackers from a company called the NSO Group developed the spyware specifically so they could get into people’s devices.
The threat consists of spyware capable of activating a device’s camera and microphone that also provides hackers with access to call logs, texts and other personal data inside WhatsApp.
The company sells the spyware system to clients, who include national intelligence and security agencies.
What platforms are affected?
Android, Windows, Tizen and iOS devices are all vulnerable to this attack against WhatsApp.
How does it spread?
The spyware is installed using an infected WhatsApp voice call.
]You don’t have to accept the call and you may see no record of the call attempt ever being made, according to The Financial Times.
Here is the security warning for this app.
Who is being attacked?
The attack seems to be aimed at human rights activists.
In this particular case, the existence of the bug was exposed when a UK-based human rights lawyer received a dropped call that made them suspicious enough to look into what was going on.
WhatsApp has said that the complexity of the attack means it will only have been used against a small number of people.
Given that WhatsApp appears to be used almost everywhere in public life, it’s no great surprise that hackers want to break into WhatsApp chats.
If you don’t use WhatsApp on your iPhone then you will not have been attacked, but if you are working in a sensitive industry then you should update the app immediately.
How does the update help?
Once Facebook-owned WhatsApp heard of the existence of the vulnerability, it took steps to boost server-side protection against the bug and also published software updates for all impacted devices.
WhatsApp says it took ten days to deliver the update once the threat was identified.
You should be able to find the update on the relevant App Store. Alternatively, you can uninstall the software, though you’ll lose all your archives.
I thought Apple was secure?
Apple’s platforms are secure by design, but not every app you install is quite as secure. Apple continues to try to provide users with better control over what features can be accessed by individual apps in each release of iOS.
In the case of WhatsApp you can enable or disable access to things like your iPhone’s microphone or camera in Settings>WhatsApp, but we cannot yet be certain this hack will then be unable to access those items, pending a response from Apple.
Who are the NSO Group?
The NSO Group is an Israeli company that has boasted about its ability to hack into iPhones in the past. The company sells software called Pegasus that has historically been used against human rights activists.
The company claims to sell these hacks only as tools to fight against crime and terror and says it maintains a strict vetting process before making them available to its intelligence and law enforcement clients.
What’s WhatsApp saying?
What’sApp says the attack was sufficiently sophisticated it appears likely to have come from a “private company working with governments on surveillance.”
In a statement provided to Reuters, the company said:
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.”
What happens next?
WhatsApp has referred the incident to the U.S. Department of Justice and also to the lead EU data protection regulator and UK National Cyber Security Centre.
One more thing
I’ve always argued against back doors in any computing platforms. This incident provides yet more evidence that suggests any such security flaws once found should be fixed, rather than weaponised.
That a hack allegedly sold in strictly controlled manner has been used to such purpose shows how these technologies tend to spread — you can even buy GrayKey devices on eBay these days.
Such proliferation leaves everyone less safe, not more secure.
I wrote this guide to iOS security in 2017. There have been many enhancements since, but this still provides a good grounding on the topic.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.