A newly revealed security vulnerability in the WhatsApp messaging service exposed 1.5 billion users to having spyware secretly loaded on their phones1.

Disclosed by Facebook in mid-May, the WhatsApp vulnerability enabled an attacker to remotely turn on a phone’s camera and microphone, read text messages and emails, and harvest a user’s location data.

What is particularly worrisome about the WhatsApp vulnerability is that it enabled an attacker to download commercial spyware on a target’s device simply by calling their phone. The spyware could be installed without leaving a trace and did not require a user to answer the call. Moreover, the call often did not appear in a phone’s logs.

Known as a CVE-2019-3568 attack after the Facebook security advisory that detailed it, the tactic exploited a buffer overflow vulnerability in the WhatsApp VoIP stack that allowed remote code execution via a specially crafted series of SRTCP packets sent to a target’s phone number.

The WhatsApp vulnerability was discovered in early May during routine security improvements. Facebook has issued a patch for it and users are recommended to update their WhatsApp software.

The most-publicized incident of this type of attack was perpetrated against a U.K.-based human rights lawyer. The attack was unsuccessful because of the patch, which the lawyer had installed.

Facebook is unsure how many people may have been targeted or how long the vulnerability has been present. It also isn’t clear whether Facebook’s update removes spyware that was installed during an attack.

WhatsApp has grown in popularity among companies, nongovernment organizations, and individuals worldwide because its messaging and phone services are free and easy to use and because of its end-to-end encryption for messaging, video calls and other services. But WhatsApp’s security has repeatedly been found to be vulnerable to attacks.

Protect your business

This type of attack is the latest reminder of the need for businesses to harden the defenses of their employees’ mobile devices. With attacks against mobile devices increasing, along with the value of the data on the average employee’s phone, there is a lot more at risk.

To help protect your employees and company from these kinds of vulnerabilities, business can invest in best-in-class mobile device security solutions, especially mobile threat detection and response services that use AI.

An AI-enabled service like Sprint Secure Mobile AI is an always-on advanced mobile threat detection app that uses machine learning to detect threats by analyzing behavior of the mobile device providing quick response recommendations and decisions when malicious activity is discovered.

1https://blog.zimperium.com/whatsapp-buffer-overflow-vulnerability-reportedly-exploited-wild/