WhatsApp Discovers 'Targeted' Surveillance Attack

[upnorth]

Content source

https://www.bbc.com/news/technology-48262681

Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp, it has been confirmed.

WhatsApp, which is owned by Facebook, said the attack targeted a "select number" of users, and was orchestrated by "an advanced cyber actor". A fix was rolled out on Friday. On Monday, WhatsApp urged all of its 1.5 billion users to update their apps as an added precaution. The attack was developed by Israeli security firm NSO Group, according to a report in the Financial Times. The problem was first discovered earlier in May. WhatsApp promotes itself as a "secure" communications app because messages are end-to-end encrypted, meaning they should only be displayed in a legible form on the sender or recipient's device. However, the surveillance software would have let an attacker read the messages on the target's device. "Journalists, lawyers, activists and human rights defenders" are most likely to have been targeted, said Ahmed Zidan from the non-profit Committee to Protect Journalists.

How do I update WhatsApp?

Android

• Open the Google Play store
• Tap the menu at the top left of the screen
• Tap My Apps & Games
• If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
• If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
• The latest version of WhatsApp on Android is 2.19.134

iOS

• Open the App Store
• At the bottom of the screen, tap Updates
• If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
• If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
• The latest version of WhatsApp on iOS is 2.19.51

 

[upnorth]

attackers used WhatsApp's voice call function to ring a target's device. Even if the call wasn't picked up, the surveillance software could still be installed because of that "vulnerable VOIP" not being secure enough. The call then may have disappeared from the device's call log because hackers had control of the app. And no, the fix isn't just a case of turning your phone off and on again. On Monday, WhatsApp suggested its 1.5 billion users update the app after rolling out a fix to help protect devices from cyber attacks. You'll have to do this one manually so that little red dot hovering above App Store (or whatever your phone does to give you a passive-aggressive nudge) isn't going to take care of itself this time.

Get off the cloud

You probably know about end-to-end encryption - one of the biggest appeals of WhatsApp. But if you - or your friends - back up your WhatsApp chats to a service like Google Drive or iCloud, there is a flaw. That back-up is not protected by end-to-end encryption, so anyone with access to your cloud could get hold of your chat history. So if you really care about privacy, then that's something you might want to disable. You might get the odd prompt asking how often you want backups - but if you want to change it now then head to the Chat Backup area of your settings.

Sweet 2FA

If your app supports it (which WhatsApp does), two-factor authentication (2FA) is a good way to help keep data safe. This is an extra layer of security to make sure people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they'll be required to provide a finger print, a voice command, or a code texted to your mobile device for example. Sometimes it's some extra information. You know the drill: first pet, mother's maiden name - those guys. Again you can change two-step verification in your settings in WhatsApp.

Add the layers that suit you

WhatsApp (and loads of other apps) offers a range of security and privacy control. Go to Settings > Account > Privacy to see everything at your disposal. From there you can control who can see your "last seen", profile photo and live location. You can also turn off read receipts here, so the blue check marks are switched off. You can go for all or none of those depending on who you want to let see various aspects of your chats.

Don't lose loads of sleep over it

This hack is perhaps a bit more urgent if you're a lawyer, activist, human rights worker or journalist.

WhatsApp: How to stay safe on social media

Hackers were able to "remotely install surveillance software" on some accounts.

www.bbc.com

 

[Threadripper]

Oh how I'd love to get rid of it and use Signal, but that of course requires others to do the same thing. Can probably convince family to switch once FB, Insta and Whats become one app.

 

[CyberTech]

More information

9 things you need to know about the WhatsApp zero-click spyware attack

The spyware allowed the attacker to take over iPhones and Android phones by simply placing a WhatsApp voice call to them.

www.fastcompany.com