A newly discovered vulnerability in WhatsApp has enabled attackers to use the Facebook Inc.-owned messaging service to spread spyware.

The social network said today that it had first become aware of the so-called zero-day exploit earlier this month and issued a server-side fix within 10 days of the discovery. Facebook also rolled out an update to the WhatsApp mobile app on Monday as an added security measure to block future exploitation attempts.

The vulnerability, tagged as CVE-2019-3568, made it possible for hackers to infect a WhatsApp user’s handset with malware simply by ringing them up. The malicious payload could install itself even if the user didn’t answer the call. WhatsApp’s security team believes that the “advanced cyber actor” who exploited the weakness used it to compromise dozens of mobile devices before the fix was released.

The Financial Times, citing an unnamed spyware dealer, reported that the attackers used malware developed by Israeli surveillance software maker NSO Group in the campaign. The firm sells mobile hacking tools to governments and intelligence agencies, including a piece of malware called Pegasus that has been involved in several high-profile cyberattacks.

WhatsApp told the Associated Press that “we’re certainly not refuting any of the coverage you’ve seen.” In a followup security advisory, parent company Facebook detailed that the spyware worked by sending the messaging service’s backend a series of specially crafted packets to trigger what’s known as a buffer overflow. A buffer overflow exploit is a type of attack in which malicious input is entered into an application to overwrite parts of its code or memory with an external payload.

Once installed on a device, the spyware enabled the attackers to access the user’s device and camera, track their location and view personal files. There were reportedly also cases where the spyware deleted call logs from WhatsApp to remove traces of the attack.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the company said in a statement.

The flaw is “unprecented,” said one security expert, Ilia Kolochenko, the founder, chief executive and chief architect at the web security company ImmuniWeb Inc. “The ability to track the victim in real time, to listen to a device’s microphone and read instant communications are all a golden-mine for cybercriminals,” he told SiliconANGLE in an email. “All corporate users of WhatsApp should urgently launch forensics on their mobile devices to verify whether they were compromised and back-doored.”

Photo: Christoph Scholz/Flickr