WhatsApp Voice Calls Used to Inject NSO Group Spyware on Phones ft.com

Mehul Srivastava, Financial Times:

WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. 

The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack.

This vulnerability feels a little like an echo of Apple’s FaceTime bug from earlier this year, except it’s much, much worse. All a recipient needed to do was to have WhatsApp installed and connected to their phone number; with just those factors, according to this report, an attacker could remotely install NSO Group’s Pegasus spyware.

The good news is that unless you’re a journalist, an activist, or a tech CEO exposing corruption in Saudi Arabia, in particular, you likely won’t be targeted with Pegasus spyware. Still, keep your devices up to date; Apple released iOS 12.3 today with a bunch of security fixes.

Update: The Dumpster Fire on Twitter:

So, Saudi Arabia has and has used the WhatsApp malware — which spies on phones, can even record audio and video — and Trump’s senior advisor/son-in-law Jared Kushner uses the app to communicate with the Crown Prince of Saudi Arabia… cool cool cool

Neat.