If you are one of WhatsApp’s billion-plus users, you may have read that on Monday the company announced that it had found a vulnerability. This vulnerability allowed an attacker to remotely upload malicious code onto a phone by sending packets of data that look like phone calls from a number not in your contacts list. These repeated calls then cause WhatsApp to crash. This is a particularly scary vulnerability because the does not require that the user pick up the phone, click a link, enter their login credentials, or interact in any way.
Fortunately, the company fixed the vulnerability on the server side over the weekend and rolled out a patch for the client side on Monday.
What does that mean for you? First and foremost, it means today is a good day to make sure that you are running the latest version of WhatsApp. Until you update your software, your phone may still be vulnerable to this exploit.
Are you likely to have been targeted by this exploit? Facebook (which owns WhatsApp) has not indicated that they know how many people have been targeted by this vulnerability, but they have attributed its use to an Israeli security company, NSO Group, which has long claimed to be able to install its software by sending a single text message. The exploit market pays top-dollar for “zero-click install” vulnerabilities in the latest versions of popular applications. It is not so remarkable that such capabilities exist, but it is remarkable that WhatsApp’s security team found and patched the vulnerability.
NSO Group is known to sell its software to governments such as Mexico and Saudi Arabia, where these capabilities have been used to spy on human rights activists, scientists, and journalists, including Jamal Khashoggi, who was allegedly tracked using NSO Group’s Pegasus spyware in the weeks leading up to his murder by agents of the Saudi government.
What can you do if you have antagonized a government known to use NSO Group’s spyware and your WhatsApp is getting strange calls and crashing? You can contact Eva Galperin at EFF’s Threat Lab at firstname.lastname@example.org.
As for everyone else, stay calm, update your software, and keep using chat apps like WhatsApp that offer end-to-end encryption. Advanced malware and vulnerabilities like this may grab headlines, but for most people most of the time end-to-end encryption is still one of the most effective ways to protect the contents of your messages.