WhatsApp rolls out security fix amid spyware fears

The update released by WhatsApp to stop hackers injecting 1.5bn phones with surveillance software may not be enough to protect users, experts today warned.     

It is also feared that the vulnerability in the messaging system that the military-grade hacking software exploited could now be used by less sophisticated hackers.

Pressure is growing on Mark Zuckerberg to personally intervene in the problem after WhatsApp refused to provide key details. 

It would not say how many victims had been identified, give assurances that the update removes the spyware or give details of what the software accesses.     

WhatsApp says it is working alongside human rights organisations and US law enforcement agents after the vulnerability came to light this morning. 

The vulnerability allowed attackers to install malicious code on iPhones and Android phones by ringing up a target device.

The code could be transmitted even if users did not answer their phones and a log of the call often disappeared, according to reports.

WhatsApp claims to have 1.5billion users around the world and urged users to update their app after it released a software update yesterday. 

WhatsApp urged users to upgrade their app after it released a software update yesterday. However, experts warn the rushed fix may be unable to protect users (stock)

Andrew Martin, CEO of London-based cyber-security firm DynaRisk, told MailOnline: ‘Given the lack of knowledge about the spyware at this stage, even the software update sent out by WhatsApp may not be enough to protect users’ privacy. 

‘While the attack started with targeting specific individuals or groups, the vulnerability will become more widely exploited by less sophisticated groups of cyber criminals soon, which will make the issue more widespread. 

‘Ongoing scandals such as these highlight how Facebook is still struggling to effectively protect users across its platforms and it’s evident that security threats are evolving at a much faster rate than businesses can adapt.

‘Although WhatsApp is taking time to show accountability, it will be interesting to see what damage this causes to the platform’s reputation.

‘In the meantime, however, consumers need to be cautious and take a level of responsibility for their own personal security too.’ 

Mr Martin says the average consumer does not need to be concerned with state-sponsored snooping but it is possible similar methods will soon be employed by smaller operations of criminals and hackers to target regular people. 

‘Generally speaking, all other hackers start looking into the remote code execution vulnerability where any action can be executed. 

‘This is an important vulnerability as it can be used on any phone and requires zero interaction as they don’t need to click anything for the software to install itself.

‘When you make a call it opens a connection to the phone and sends over a stream of data and this can, reportedly, be manipulated.

‘It causes the WhatsApp app to malfunction in the background and can then they can send a new code to the phone for it to execute.

‘Although we do not know the details of the vulnerability as it has yet to be released to the public, it is reasonable to assume that if malicious code can be sent over it would then take advantage of WhatsApp and could access or tamper with anything the app has access to – which may include photos and videos as well as microphone and camera access.’ 

WhatsApp, which is owned by Facebook, said the attack bore a resemblance to spyware developed for intelligence agencies.

According to the Financial Times, who first reported the story, the spyware was developed by NSO Group, an Israeli cybersecurity and intelligence company. 

It is believed Israeli firm NSO is behind the technology, as researchers found a similar digital footprint to other tools known to have originated from the company.  

There are concerns the software was used in attempts to access the phones of human rights campaigners, including a UK-based lawyer.

The human rights lawyer, who requested anonymity, has been involved in lawsuits against the NSO Group and said he grew suspicious after receiving several mysterious phone calls originating from Sweden. 

These lawsuits include allegations against NSO on behalf of Omar Abdulaziz, a Saudi citizen currently living in exile in Canada who was mentored by murdered journalist Jamal Khashoggi.

Other alleged victims of include a citizen of Qatar and Mexican journalists and activists.

It is thought the list of who may have been exposed during this hack could be much longer.

Amnesty International revealed one of its researchers had also been targeted.

The group is backing legal action against the Israeli Ministry of Defence demanding that it revokes NSO Group’s export licence which will be in court today. 

WhatsApp engineers in both the UK and US were working on a fix to the issue around the clock after it came to light and have now issued a patch to the bug. The firm urged users to update in order to protect themselves, but there is no mention of the malware protection in the update settings (pictured)

WhatsApp engineers in both the UK and US were working on a fix to the issue around the clock after it came to light and have now issued a patch to the bug. The firm urged users to update in order to protect themselves, but there is no mention of the malware protection in the update settings (pictured)

Danna Ingleton, deputy director of Amnesty Tech, said: ‘NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics.’  

NSO’s spyware has repeatedly been found deployed to hack journalists, lawyers, human rights defenders and dissidents in the past. 

Most notably, the spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul last year and whose body has never been found.

WhatsApp engineers in both the UK and US were working on a fix to the issue around the clock after it came to light and have now issued a patch to the bug. 

It began rolling out a fix to its own servers on Friday, blocked attempts to expose the flaw as recently as Sunday, and urged users to install an update on Monday. 

The UK’s National Cyber Security Centre (NCSC) has since published advice for WhatsApp users on its website to help protect people. 

It aligns with the guidance issued by WhatsApp and focuses on updating the app and switching the settings to automatically update. 

A spokesperson for the National Cyber Security Centre said:

‘WhatsApp have today announced a vulnerability that could have allowed users’ phones to be compromised.

‘The company has reportedly said that a small number of accounts have been affected and has told its users to update their apps using standard updates from the app store as a precaution.

‘The NCSC has published guidance for users and always recommends that people protect their device by installing updates as soon as they become available. 

‘The NCSC also recommends that people switch on automatic updates to install them as quickly as possible.’

The firm said the attack bore a resemblance to spyware developed for intelligence agencies.

The firm said the attack bore a resemblance to spyware developed for intelligence agencies. 

Users that have already updated their app to protect themselves have been greeted with a brief blurb that professes it will allow them to ‘see stickers in full size when you long press a notification’. 

However, there is no mention of the malware vulnerability. 

HAVE YOU BEEN TARGETED AND WHO WAS BEHIND THE ATTACK ON WHATSAPP?

It is highly unlikely that anyone other than high-profile targets or individuals of interest to NSO directly have become victims of this cyber attack.

It is feared the now exposed vulnerability could be manipulated by less sophisticated hackers and could be used to target regular people. 

The military-grade software produced by NSO is only available to nations that have purchased the sophisticated and extremely powerful Pegasus technology. 

It is believed to have been used to target human rights campaigners, including a UK-based lawyer, a Saudi dissident, a citizen of Qatar and Mexican journalists and activists.

The lawyer is believed to be engaged in a lawsuit against NSO and became suspicious when receiving random WhatsApp calls from Sweden. 

Researchers at Citizen Lab, a research group at the University of Toronto, conducted extensive forensic examinations of the handset and found no trace of embedded malware. 

However, what they uncovered was a digital footprint similar to that which is known to have belonged to NSO technology in the past.

WhatsApp engineers also identified the issue and worked extensively to fix the bug. 

The Financial Times identified the actor as Israel’s NSO Group, previously referred to as a ‘cyber arms dealer’, and WhatsApp said it was ‘not refuting any of the coverage you’ve seen’. 

The revelation adds to the questions over the reach of the Israeli company’s powerful spyware.

Its marquee product is called Pegasus and can hijack smartphones, control their cameras and effectively turn them into pocket-sized surveillance devices.

NSO’s spyware has repeatedly been found deployed to hack journalists, lawyers, human rights defenders and dissidents. 

Most notably, the spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul last year and whose body has never been found.

Several alleged targets of the spyware, including a close friend of Khashoggi and several Mexican civil society figures, are currently suing NSO in an Israeli court over the hacking.

Yesterday, Amnesty International – which said last year that one its staffers was also targeted with the spyware – said it would join in a legal bid to force Israel’s Ministry of Defense to suspend NSO’s export licence. 

The vulnerability and suspected attacks were investigated by Citizen Lab, a research group at the University of Toronto, last week. 

‘We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer,’ the lab said.   

John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, said the attack on the UK lawyer had been unsuccessful – citing WhatApp’s fix as the reason.   

WhatsApp said it was deeply concerned about the abuse of such capabilities and is urging users to update their apps out of an abundance of caution. 

WhatsApp also accepted that users were exposed, and that the true number remains unknown.  

‘We believe a select number of users were targeted through this vulnerability by an advanced cyber actor,’ WhatsApp told the FT. 

‘This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.

‘We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.’

The firm is said to have alerted officials at the US Department of Justice after discovering the vulnerability in early May. 

Tom Watson MP, Labour’s Shadow Secretary of State for Digital, Culture, Media and Sport, responding to a hack discovered in the WhatsApp messaging platform, said:

‘These cyber-security breaches are deeply concerning, particularly as human rights and advocacy organisations seem to have been targeted.

‘WhatsApp boss Mark Zuckerberg needs to give us categorical assurances this security flaw has been fixed and WhatsApp users cannot be spied upon.

‘We need answers from the Government about what contact they have had with WhatsApp over this breach and what action they are taking if this spyware has fallen into the wrong hands.’

NSO, which was recently valued at approximately $1billion, claims to only license its technology to government agencies for use against crime and terrorism.  

The company denied this and told the paper: ‘Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.

‘NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual (the UK lawyer).’ 

The scruples of the firm lies with an in-house ethics committee which is believed to decide if it should supply its capabilities to countries based on their human rights records. 

Despite these claims, it has recently been found in the hands of companies with a less than stellar record – including Saudi Arabia, United Arab Emirates and Mexico.    

While the investigation from Citizen Labs was occurring the engineers at WhatsApp headquarters found the unusual activity.

HOW TO UPDATE YOUR WHATSAPP 

Many apps update automatically on the majority of handsets but they can be manually updated as well.  

iOS 

For Apple users, open the App Store and select ‘Updates’ in the bottom row.

Refresh this page by dragging the screen down to ensure all recent updates are available. 

All apps installed on the device will which have a pending update can be see here and then simply tap update.

This should automatically start the update and nothing more is needed. 

Android  

Android users the update process is very similar but involves the Google Play Store and not the App store. 

Open the Find the My apps and games section and refresh the page. 

All available and pending updates will then be present. 

Select ‘Update’ next to the desired app – in this case WhatsApp – and it should automatically be updated. 

Nothing else is needed.  

The Facebook-owned firm then went to human rights organisations to alert them to the issue and worked with Citizen Lab and determined the targeting of the London-based hacker.  

John Scott-Railton from Citizen Lab called the hack ‘a very scary vulnerability.’ ‘There’s nothing a user could have done here, short of not having the app,’ he said. 

Chris Boyd, an expert in the type of technology used in the attack at the firm Malwarebytes said: ‘This attack is enormously worrying for anyone using WhatsApp on a phone alongside sensitive information. 

‘Even without that, access to camera and microphone is a major privacy concern and everybody should upgrade to the newest version as soon as possible. 

‘The really impressive thing here is that the WhatsApp team discovered this attack at all, given no click to install is required.’

Dr Budi Arief, a cybersecurity expert at the University of Kent echoed these sentiments and said: ‘It demonstrates the importance of keeping your software update. 

‘I’m not particularly surprised by this development, this happens all the time.

‘This recent vulnerability bears a resemblance to the Apple FaceTime vulnerability discovered earlier this year.

‘At this stage, it is too early to say whether there is any connection between the WhatsApp vulnerability and the FaceTime vulnerability. 

‘Software is a very complex system – it’s practically impossible to guarantee it is completely bug-free, there are always potential vulnerabilities that could be exploited.’  

Read more at DailyMail.co.uk