Hackers inject spyware via WhatsApp voice calls

Users should take note if they start receiving a series of WhatsApp calls from unknown numbers, although Pegasus is a commercial-grade program typically sold to nation states.
Users should take note if they start receiving a series of WhatsApp calls from unknown numbers, although Pegasus is a commercial-grade program typically sold to nation states. PHOTO: EPA-EFE

Data can be stolen even if call is not taken; users urged to update app

A flaw in the popular messaging app WhatsApp has allowed hackers to remotely install surveillance software on phones via its voice call function, potentially affecting all of its 1.5 billion users worldwide.

In a statement sent to The Straits Times, Facebook-owned WhatsApp urged all users to update to the latest version of the app and to "keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices".

The Singapore Computer Emergency Response Team (SingCert), a unit of the Cyber Security Agency of Singapore, also advised users to upgrade to the latest version of WhatsApp as soon as possible.

SingCert told The Straits Times that it has not received any reports of compromise introduced through the WhatsApp vulnerability.

Facebook believes that the Pegasus spyware targeted only a select number of users.

The program was developed by Israeli cyber-intelligence company NSO Group and typically licensed to government agencies.

  • Regular user unlikely to be targeted

  • Q How do I tell if the flaw was exploited and spyware injected?

    A As Pegasus is a commercial-grade program and typically sold to nation states, it is unlikely that a regular WhatsApp user would be targeted. Still, it is good to take note if you start receiving a series of WhatsApp calls from unknown numbers. A London lawyer who was targeted suspected that his phone had been hacked when he started missing WhatsApp calls from Swedish telephone numbers at odd hours, reported The New York Times.

    Q How do I upgrade WhatsApp to the latest version?

    A For Android users, go to the Play Store and click on the Menu button. Click on "My Apps & Games", search for WhatsApp, and click the Update button next to it. For iOS users, go to the App Store, then click the Updates button and search for WhatsApp. Click the Update button next to it. If you do not see the Update option, your app should have already been updated.

    Q How do I set my phone to automatically download app updates in future?

    A For Android users, go to the Play Store, then tap on the Menu button and click on "Settings". Tap "Auto-update apps" and choose if you wish to do so any time, or only when your phone is connected to Wi-Fi. For iOS users, go to Settings and then click on "iTunes & App Stores". Toggle to turn on the "Updates" button under the automatic downloads section. Similarly, you can choose to do so using cellular data or just Wi-Fi.

The flaw allowed hackers to insert spyware and steal data from an Android phone or an iPhone by placing a WhatsApp call, even when the call is not answered.

Mr Oded Vanunu, head of products vulnerability research at security firm Check Point Software Technologies, told The Straits Times that it would be difficult to know if one is targeted as the spyware also erases the call information from call logs.

The New York Times reported that it was used to break into the phone of a London lawyer involved in lawsuits accusing NSO Group of providing tools to hack the phones of Mr Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists.

WhatsApp said it took less than 10 days after discovering the flaw in early May to make the required changes to its infrastructure. A WhatsApp app update went out last Friday to correct the flaw.

WhatsApp engineers who examined the vulnerability concluded that the spyware in question is similar to other tools from the NSO Group.

In response, NSO Group said that its technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror.

The company also said that it does not operate Pegasus, and that intelligence and law enforcement agencies determine how to use the technology to support their public safety missions.

"We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system," the group said in a statement to The Straits Times.

A version of this article appeared in the print edition of The Straits Times on May 15, 2019, with the headline 'Hackers inject spyware via WhatsApp voice calls'. Print Edition | Subscribe