Yesterday, Financial Times broke the news of a very dangerous security hole in WhatsApp that will allow a very potent Israeli malware to be injected into your smartphone. How worried should you be?
As Financial Times reported,
A vulnerability in the messaging app WhatsApp has allowed attackers to inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said.
WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function.
The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack.
First, let me give you a little background information about this mysterious potent Israeli malware.
Back in 26 August 2016, I read a news report about Apple issuing a surprise emergency security update for iOS 9.3.5. Apple was mysteriously tight-lipped on why they had to scramble to issue this update. Straightaway, I knew there must be a very interesting back-story to this. As the days went by, media reports began to fill in the holes on what exactly happened. So, the story goes like this…
One day, human rights defender Ahmed Mansoor, received a text message promising “secrets” about torture happening in prisons in the United Arab Emirates, along with a link. Luckily, this guy was very smart and careful. He didn’t click on the link. Instead, he forwarded the text message to a cybersecurity company called Citizen Lab. That company, in collaboration with another cybersecurity company called Lookout, dug and investigated further.
What Citizens Labs discovered was a “Holy S**t!!!” moment.
They discovered an extremely sophisticated and potent iOS malware. Had Mansoor merely click on that link, the malware will secretly commandeered his iPhone to spy and collect information on whatever is in it. Not only that, it can turn his iPhone into a secret listening and video surveillance device. It is so sophisticated that it can survive subsequent operating systems updates! Upon further investigation, it was determined that this sophisticated and potent malware was already in operation for quite a long while.
Later on, Apple was informed, and they worked overtime to issue the emergency iOS 9.3.5 security update. To cut the long story short, that malware was found to be created by a private Israeli company called NSO Group and is given the name “Pegasus”. It must have been worth millions of dollars because this is something that only law-enforcement and intelligence organisations of nations-state have access to. How it ended up in the hands of the UAE government is unclear.
So, on 26 August 2016, this potent cyber weapon, “Pegasus”, was smashed in one swoop.
Or so we thought.
Today, from this latest WhatsApp security hole, “Pegasus” and its creator, NSO Group re-emerged in the news media again. In a way, I feel like we’re back in 26 August 2016 again. The story is weird and there are lots of unanswered questions. I suspect in the days to come, more stories about this will emerge. Today, according to GRC Research Corporation,
… the NSO Group will be facing a challenge in Israeli court regarding its ability to export its commercial software. The challenge comes from Amnesty International and other human rights groups who allege that it is being used to target human rights attorneys and others. The NSO Group claims that their potent software tools are only used by and for legitimate law-enforcement agencies.
But for the average person, what can you do?
First, update your WhatsApp to:
- WhatsApp for Android to v2.19.134 or above
- WhatsApp Business for Android to v2.19.44 or above
- WhatsApp for iOS to v2.19.51 or above
- WhatsApp Business for iOS to v2.19.51 or above
- WhatsApp for Windows Phone to v2.18.348 or above
From this, it may possibly mean that NSO Group has upgraded “Pegasus” to not only attack iOS devices, but also attack Android and Windows Phone device’s as well.
Now, I have an unanswered question.
In order for “Pegasus” to work as potently as it used to be (before 26 August 2016), it needs to be able to exploit security holes in the iOS and Android operating systems. So, are there still any undiscovered security holes in the latest versions of iOS and Android for “Pegasus” to exploit?
If the answer is “Yes”, then Google and Apple will have work to do. Perhaps another round of emergency security updates will have to be released. But how will Apple and Google know where the security holes are if they can’t get hold of the latest version of “Pegasus”?
If the answer is “No”, then the responsibility lies in the average user. In that case, to be safe from “Pegasus”, you need to ensure that you apply the latest security updates in your iOS and Android device. By the way, Apple has released iOS 12.3 yesterday with the latest security updates. If you have an Android device, you may be out of luck. As I wrote before,
Unfortunately, a lot of Android device manufacturers are not diligent in protecting their customers by providing timely security updates. Worse still, some manufacturers do not bother at all. If the manufacturer of your Android device is not forthcoming in providing security updates, you should seriously consider voting with your feet and switch to different Android brand manufacturers that takes their cybersecurity responsibility seriously. Ideally, you should get your Android device directly from Google because you can be assured that security updates will be available as soon as Google releases them.
Should the average person be worried about “Pegasus”? Maybe not, because on the surface, it is a highly targeted cyber weapon used by nation-state governments. So, if you are not a VIP criminal or political dissident/activist, you probably wouldn’t be targeted.
But then, it is unclear how, back in 2016, this cyber weapon ended up in the hands of an unsavoury government, to be used on a human rights activist. So, can “Pegasus” also be leaked to underground cybercriminal community to be used against average folks? Possibly.
Anyway, I believe there will be more to this story. Depending on how this story unfolds, it may mean that you may have do more things to protect yourself. If you want to keep up to date on this story, please subscribe to my emailing list.