Introduction
A vulnerability in Facebook-owned messaging service WhatsApp has been discovered and subsequently patched. The vulnerability allowed a remote attacker to install a form of spyware known as Pegasus, and affected installations of WhatsApp on Android or iOS devices. This is expected to constitute a significant percentage of WhatsApp’s user-base – which is around 1.5bn users.
Overview
The Financial Times (subscription required) reported that attackers were able to install the Pegasus spyware by using WhatsApp’s telephone feature to call a target device. According to Ars Technica, the vulnerability which allowed installation of Pegasus was a buffer overflow in WhatsApp’s VOIP stack. This allowed remote execution of arbitrary code when a series of specially-crafted SRTCP packets were sent to a vulnerable device. The vulnerability has been indexed as CVE-2019-3568 and has been published by Facebook here.
Pegasus is surveillance software developed by the Israeli cyber security firm NSO Group. The software jailbreaks the target device so that it can retrieve sensitive information and activate the camera or microphone. Pegasus, and other NSO Group products, are intended for use in targeted surveillance by NSO Group’s clients, which it has said includes governments and law-enforcement groups. However, the company is facing a court challenge from human rights advocates, such as Amnesty International, who wish to prevent export of the company’s technologies.
Among the users who have been affected by the vulnerability is an unnamed UK-based human rights lawyer, who represents various parties involved in lawsuits against NSO Group. It has been reported that this lawyer was targeted as recently as Sunday, with the patch which fixed the WhatsApp vulnerability being released on Monday. Recent reports have also suggested that text messages containing the Pegasus spyware were sent to the widow of a slain Mexican journalist.
Remediation and IOCs
Since exploitation of the WhatsApp vulnerability has been leveraged against high-profile targets, regular users should not be too concerned about becoming infected with the Pegasus spyware. Our advice would be to install WhatsApp’s patch, released Monday 13th of May, which fixes the VOIP vulnerability which enables this exploit. As for indicators of compromise, reports have stated that victims of this attack received a number of unsolicited phone calls within WhatsApp, records of which have since been deleted from the logs.