How attackers were able to spread spyware through WhatsApp with just a phone call

Earlier this week, it was reported that a vulnerability in Facebook’s popular WhatsApp messaging service made it possible for attackers to spread spyware to smartphones via phone calls made through the app.

To do so, hackers exploited a bug within WhatsApp known as a buffer-overflow vulnerability, which the company said it quickly fixed, the Financial Times first reported. A buffer overflow is exactly what its name implies; it’s an issue that can occur when an app is flooded with more data than it can store in its buffer, or temporary storage space.

“A buffer overflow occurs when a programming error allows more data to be written to a given area of memory than can actually be stored there,” Rik Ferguson, the vice president of security research at the security-software firm Trend Micro, told Business Insider in an email. “The extra data flows into adjacent storage, corrupting or overwriting the data previously held there, and can cause crashes, corruptions, or serve as an entry point for further intrusions.”

In the case of the WhatsApp attack, intruders exploited the buffer-overflow bug through the app’s phone-call function to install spyware on smartphones without the phones’ owners knowing, the Financial Times reported. The exploit would work even if the victim did not answer the call, the report said.

To understand how this is possible, it helps to know how WhatsApp’s calling functionality works. Like many popular messaging apps, WhatsApp employs a widely used technology known as Voice over Internet Protocol (VoIP), which allows users to make and receive phone calls over the internet instead of through a standard telephone line.

When you receive a phone call through WhatsApp, the app sets up the VoIP transaction and the encryption that goes along with it, Ferguson said. It then notifies the user of the incoming call and prepares to either accept, decline, or ignore the call based on the user’s input.

“It is my understanding that the buffer overflow exploit occurs during this phase, which is why the recipient does not need to answer the call to be successfully compromised,” Ferguson said.

Buffer-overflow vulnerabilities have existed for decades, even dating back to the notorious Morris worm from 1988, which is widely perceived as being one of the earliest iterations of the modern internet-spread virus. According to Ferguson, instances of buffer-overflow exploits have been documented as far back as 1972, and programming languages such as C and C++ are particularly prone to them even today.

“Finding them is difficult and successful exploitation even more complex, but attackers and researchers still regularly do so,” he said.

The malicious code used in the WhatsApp attack was developed by the Israeli firm NSO Group, which develops a product called Pegasus that can activate a smartphone’s camera and microphone, the report said. The firm’s software has previously been linked to attempts to manipulate devices belonging to activists. In 2016, for example, the prominent human-rights activist Ahmed Mansoor received a text message with a link that would have installed software from NSO Group on his phone, the watchdog organization Citizen Lab reported.

WhatsApp hasn’t said how many of the app’s 1.5 billion users have been affected, but it’s encouraging all users to upgrade to the latest version of the app.

Source: Business Insider