Facebook-owned WhatsApp has issued urgent patches after the discovery of a vulnerability that allows spyware injection through calls, whether or not victims answer them.
The chat and IP telephony service, with 1.5 billion claimed users worldwide, said that a buffer overflow vulnerability allowed remote code execution via specially crafted secure real-time transport protocol data packets sent to targets' phones.
Affected versions include:
- WhatsApp for Android prior to v2.19.134
- WhatsApp Business for Android prior to v2.19.44
- WhatsApp for iOS prior to v2.19.51
- WhatsApp Business for iOS prior to v2.19.51
- WhatsApp for Windows Phone prior to v2.18.348,
- WhatsApp for Tizen prior to v2.18.15.
WhatsApp has patched its servers against the vulnerability.
The spyware injected through the vulnerability is believed to be the Pegasus malware, developed by Israeli company NSO Group, according to a report in the Financial Times.
Pegasus runs on Google Android and Apple iOS devices, and can delete call logs, activate the camera and microphone, and access and exfiltrate location information and messages.
A human rights lawyer in London was allegedly hit by a failed attempt to infect a device, FT reported.
The lawyer acted for a Saudi dissident who had sued NSO Group for selling its software to repressive regimes in the Middle East.
Pegasus is also thought to have been used against journalist Jamal Khashoggi, who was murdered at a Saudi-Arabian consulate in Turkey.