WhatsApp spyware exploit ‘unusual’ but method more than 30 years old

whatsapp apps screen

WhatsApp users were faced with a frightening situation earlier this week, when it was revealed that a WhatsApp voice call could allow an attacker to install spyware on your smartphone.

While the company has since patched the vulnerability, and urged users to update their apps, the question remains: how on earth was this possible?

According to Sophos’ Paul Ducklin, it’s not a farfetched concept.

“Whenever two programs communicate over the network, each side has to take care not to choke on the data from the other end,” he told Memeburn in an email.

“A booby trapped website could attack your browser, a poisoned attachment might be able to trigger a bug in your email software — or a rogue caller could trip up voice software like WhatsApp, which is what happened here.”

But unlike something you click on — an infected email attachment or bogus ad online — this bug took advantage of users by simply having WhatsApp open and awaiting calls from friends or family.

‘Whenever two programs communicate over the network, each side has to take care not to choke on the data from the other end’

The exploit latched onto a vulnerability in software design called a buffer overflow. The app is overloaded with more data than it can theoretically handle. An attacker can then write the “overflowed” data to a new buffer, overwriting the existing buffer in this case, with spyware. The overflow was possible as WhatsApp uses the VoIP protocol, which uses data and not transmitted over cables like a traditional telephone line.

But buffer overflows have been used in the past — in some cases, as early as 1988 to bring down the entire web — but not usually with well-maintained apps like WhatsApp.

“Spyware of this very specific sort is unusual,” Ducklin adds, “finding and exploiting bugs in well-known software from well-known vendors that gets updated regularly is not easy.”

“The big problem for most of us is the reliability of the software we invite in from lesser-known sources, or the websites we visit that we aren’t so sure about, or the operating system updates that came out ages ago but we’ve been putting off.”

Buffer overflows have been used to exploit software from as early as the 1980s

Ducklin, apart from updating apps regularly, advises that you keep your personal data safe online.

“Spyware isn’t just about law enforcement or intelligence agencies trying to spy on people – cybercrooks of all types love to get at other people’s data because it all has some sort of value. Names, addresses, phone numbers, ID numbers, bank account details, your SARS number, credit card details, recent transaction history — all of it worth at least something to a crook somewhere,” he concluded.

Feature image: Memeburn

Andy Walker, former editor
More

News

Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.