Hackers target security flaw in WhatsApp
They use voice call function in app to remotely install spyware on phones, but experts say risk is low
A security flaw in popular messaging app WhatsApp, which has some 1.5 billion users around the world, has allowed hackers to remotely install spyware on phones.
The vulnerability - first reported by the Financial Times (FT) - allowed hackers to use malicious software to steal data from a user's phone by using WhatsApp's voice call function.
It works even if the call is not answered.
Dr Ori Sasson, director of cyber intelligence firm S2T, told The New Paper yesterday that the spyware is able to record calls and look through a person's contacts.
"It can also access your microphone and camera any time, such that it can be a listening device," he added.
The security flaw affects both Android devices and Apple's iPhones and was discovered earlier this month as WhatsApp scrambled to fix it, rolling out an update in less than 10 days.
A spokesman for the Facebook-owned company said in a statement to AFP: "WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices."
WhatsApp issued a patch for its users on Monday.
Cyber security experts TNP spoke to said the exposure of the flaw highlights the potential danger hidden within the ubiquitous app.
Mr Tom Kellermann, chief cybersecurity officer at Carbon Black, an endpoint cyber security vendor, said: "Modern attackers are quite adept at flying under the radar.
"If you consider how widely used WhatsApp is - by journalists, confidential sources, activists, lawyers, businesses and everyday citizens - this attack is extremely concerning."
Dr Sasson added: "The incident highlights a bigger issue - that a lot of the software that we use on a day-to-day basis have different types of software errors and bugs which may not be initially visible to the user."
The FT cited a spyware dealer as saying that the technology capable of leveraging on the flaw was developed by an Israel-based firm called the NSO Group, which has been accused of helping governments from the Middle East to Mexico snoop on activists and journalists.
The firm, however, said yesterday that it licenses its software only to authorised government agencies for "fighting crime and terror".
The NSO Group "does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions", it said in a statement to AFP.
While this incident highlighted a major flaw in WhatsApp, cyber security experts told TNP that there is no need for its users to delete the app.
WhatsApp had said that the spyware is sophisticated and "would be available to only advanced and highly motivated actors".
Mr James Tan, a forensic consultant with Infinity Forensics, said: "As currently only a handful of people know how to execute the spyware, users should not worry too much if their app is updated."
Dr Sasson agreed.
He said: "From a pragmatic point of view, this is not a huge issue to most people as the spyware is expensive technology not available to simple hackers.
"It is not built to be used against individual people in a wide-scale manner."
He added: "Ultimately, it comes down to a balance between convenience and risk.
"Many Singaporeans use WhatsApp and have many groups, sending pictures and videos. Given that the risk is small, I think t there isn't any action to be taken but to remain vigilant."