According to an advisory published by Facebook, a buffer overflow vulnerability in WhatsApp VOIP stack allows remote attackers to execute arbitrary code on target phones by sending a specially crafted series of SRTCP packets.
This exploit can successfully be executed to install a spyware on phones and steal data from it by merely placing a WhatsApp call, even when the call is not answered.
The victim would not be able to find out about the intrusion afterward as the spyware erases the incoming call information from the logs to operate stealthily.
The exact number of targeted WhatsApp users is not yet known, WhatsApp engineers did confirm that only a “select number” of users were targeted by the NSO Group spyware using this vulnerability.
However, NSO denied using its own software to target the UK lawyer or anyone else.
NSO would not, or could not, use its technology in its own right to target any person or organization.
NSO Group’s Pegasus spyware allows attackers to access an incredible amount of data from victims’ smartphones remotely, including their text messages, emails, WhatsApp messages, contact details, calls record, location, microphone, and camera—all without the victims’ knowledge.
The vulnerability affects all except the latest version of WhatsApp on iOS and Android, meaning the flaw affected all 1.5 billion people using WhatsApp until yesterday when Facebook finally patched the issue.
“The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15,” Facebook says.
You should, as WhatsApp suggests, always keep your apps up to date for situations like this, although in this case the problem was able to be fixed in the backend before clients could be patched.