WhatsApp urges users to update app after massive security failure

If you’ve recently had a missed call on WhatsApp from a number you didn’t recognise, cyber criminals might be spying on you.

The Facebook-owned app has admitted that cyber criminals have exploited a major vulnerability in its voice call function and are planting spyware on users’ phones. This enables crooks to turn on devices’ cameras and microphones, read emails and instant messages, and collect users’ location data.

The breach was discovered earlier this month, and WhatsApp released an update addressing the issue on Friday. The messaging service is now urging users to install the patch to ensure they don’t fall victim. Updates are often installed automatically, but it’s worth checking that this feature is enabled.

Who is responsible for the attack?

The technology behind the attack was developed by the Israeli cyber surveillance organisation NSO Group, but the firm has denied playing a part in the breach. It said that the Pegasus spyware is licenced to authorised government agencies “for the sole purpose of fighting crime and terror” and that it doesn’t use it itself.

WhatsApp believes the “attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems”.

The identity of that company is currently unclear, but we would guess the attack was politically motivated. The spyware has been planted on a relatively small number of devices, which wouldn’t be the case if crooks were trying to obtain personal information for financial gain, and those who have reported being targeted hold politically and socially important roles, such as human rights activists, journalists and lawyers.

The severity of the breach means an investigation is bound to be launched, but we doubt that the perpetrators’ identity will ever be discovered. It’s incredibly difficult to investigate sophisticated attacks like this, and it’s even harder to find the necessary evidence to bring about a conviction.

Things should improve as new technologies become available to cyber crime investigators like the National Crime Agency, the FBI and Europol. They will also be helped by organisations paying greater attention to cyber security and engaging in threat intelligence sharing, but it’s always worth remembering that the best defence is prevention. By making it harder for crooks to breach your systems, you’ll make cyber crime a less prosperous endeavour and reduce the likelihood of being targeted.

Subscribe to our weekly newsletter for all the latest cyber security news and advice >>