WhatsApp users are being urged to update the application as soon as possible, after a spyware vulnerability was discovered in the Facebook-owned messaging app.
However, despite the spyware's ability to see your WhatsApp conversations, contacts book, and even access your smartphone's camera, the latest update from WhatsApp does not mention anything to do with it.
- Google pulls Android apps caught stealing photos and serving ads
- 5 ways to keep your digital life more secure
- How to delete and revoke accidental WhatsApp messages after you send them
Instead, the crucial update which is designed to keep 1.5 billion users safe only mentions a new ability to see full-size stickers in text conversations. The security patch is in there, but WhatsApp has chosen not to mention it.
The spyware, which Facebook says took advantage of a "buffer overflow vulnerability", allowed hackers to remotely access the WhatsApp conversations of targets, simply by calling them. They did not need to answer for the hack to take place, then all evidence of the WhatsApp call could be removed.
Called Pegasus, the spyware was developed by Israel's secretive NSO group to be used legally by governments and law enforcement agencies.
According to the Financial Times, which first reported the vulnerability, Pegasus could be installed on a target's device simply by calling them through WhatsApp. The target did not even need to answer for the spyware to be installed, and other than missing a call from an unknown number, they would have no idea of what had happened.
What's more, if the call went unnoticed by the target, the attackers could erase incoming call logs from their device, removing all evidence of the call ever taking place. Once the attack had happened, hackers were able to access a huge trove of personal data stored on the target's device, including their WhatsApp text conversations, contacts book, email archive, browser history and GPS location. Hackers could even access a live feed from the device's camera and microphone.
According to the Financial Times, the spyware was used against an unnamed UK-based human rights lawyer on May 12. According to Citizen Lab, this highly-targeted attack was blocked by WhatsApp. It is likely that the spyware was created to target specific individuals, rather than browse the chat histories of as many people as possible.
WhatsApp, whose app is used by 1.5 billion people, told the FT: "This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society."
The company said it was too early to determine how many users had been affected by the vulnerability, which was discovered in early May.
An update was made available to WhatsApp users worldwide on May 13, but its release notes make no mention of the potentially dangerous flaw it is designed to fix. Instead the release notes for the update, which is version number 2.19.51, state: "You can now see stickers in full size when you long press a notification."
The WhatsApp update makes no mention at all of what it is actually fixingGearBrain
WhatsApp's lack of transparency here is a problem. Users may read about this major vulnerability and head to the iOS App Store or Android Play Store for an update to fix it. But all they will be greeted with is an update allowing them to see full size stickers.
Cybersecurity expert Graham Cluley wrote on Tuesday morning: "The latest WhatsApp update makes no mention of a security fix being included. It just talks about stickers instead. I wonder how many millions of people will be unsure today whether they're using the fixed version of WhatsApp or not?"
WhatsApp said in a statement that it "encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices."
GearBrain TV: How to Secure your Smart Devices www.youtube.com