It’s time for another security update.
WhatsApp, the messaging and audio app owned by Facebook FB, +0.19% said Monday that malicious hackers were able to install spyware on Android smartphones and Apple AAPL, +2.04% iPhones.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” a WhatsApp spokesperson told MarketWatch.
The surveillance software could be remotely installed on a user’s phone by calling them over the internet (using “VOIP” or voice over internet protocol). Earlier this month, WhatsApp identified and fixed a vulnerability that could enable an attacker to add spyware to devices.
Citizen Lab, a research and development group at the Munk School of Global Affairs & Public Policy in the University of Toronto, tweeted TWTR, +1.69% Monday, “We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer.”
Facebook posted about the security notice here and outlined what versions of the app were vulnerable to exploitation. However, users complained that the notifications they received from WhatsApp on Monday to update their software did not inform them of the security flaw. The flaw would have allowed a bad actor to read a user’s text messages.
Don’t miss: Time to break up Facebook, says co-founder Chris Hughes
Security generally experts recommend never re-using security passwords and say people should use two-factor authentication on their phones, which requires a user to put a code sent to a phone or email into an app or website in order to log in from a new device or to change a password. However, these security precautions would not help people protect against the WhatsApp flaw.
WhatsApp’s website states: “Privacy and security is in our DNA.” It adds, “Some of your most personal moments are shared with WhatsApp, which is why we built end-to-end encryption into our app. When end-to-end encrypted, your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.”
The Financial Times alleged that the software used was developed by the NSO Group, an Israeli-based security company. It said the flaw in WhatsApp’s software had been open for weeks; WhatsApp described the exploit as a “targeted surveillance attack.” The malicious call used to install the spyware may not have even shown up on the user’s phone as a missed call, the paper added.
The NSO Group said in a statement: “NSO’s technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror.” It added, “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”
Get a daily roundup of the top reads in personal finance delivered to your inbox. Subscribe to MarketWatch’s free Personal Finance Daily newsletter. Sign up here.
Add Comment