The WhatsApp messaging app is displayed on an iPhone in May 2019. WhatsApp is advising users to update the messaging app after a vulnerability was identified. (AFP/Justin Sullivan/Getty Images)
The WhatsApp messaging app is displayed on an iPhone in May 2019. WhatsApp is advising users to update the messaging app after a vulnerability was identified. (AFP/Justin Sullivan/Getty Images)

CPJ Safety Advisory: Spyware vulnerability found in WhatsApp

[EDITOR’S NOTE: See CPJ’s updated safety advisory here.]

New York, May 14, 2019–A vulnerability that infects phones with spyware has been identified in the messaging app WhatsApp, according to reports. The attack targets users of Android and iPhone and involves calling users over WhatsApp. Those targeted report receiving a series of missed calls from an unknown number followed by the app crashing, researchers at Toronto’s Citizen Lab told the Financial Times, which first reported the vulnerability.

The researchers said they believe the spyware attack was connected to the same vulnerability that WhatsApp engineers have been trying to fix. Digital researchers said the spyware has characteristics of technology from the Israeli company NSO, the New York Times reported. NSO created Pegasus, a spyware for mobile devices that Citizen Lab has detected in over 45 countries.

The spyware detected in WhatsApp can still be installed on a person’s phone even if they do not answer the call, and the unknown number is not always recorded in the call log, the researchers said. It is currently unclear whether the spyware is contained within the app or whether it could infect the whole phone. CPJ has found that often such spyware allows for attackers to access the contacts, messages, and microphone of an infected phone.

While there is currently no public data on the number of infections, journalists could be among those affected. The WhatsApp vulnerability was believed to have been used in an attempted attack against a U.K.-based human rights lawyer, who is suing NSO on behalf of Mexican journalists and who was not named in reports, according to reports.

In a statement to the Financial Times, WhatsApp said it was investigating and recommended that users update to the latest version of the app “to protect against potential targeted exploits designed to compromise information stored on mobile devices.”

A spokesperson for NSO told CPJ via email, “NSO’s technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.”

The spokesperson added, “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organization, including this individual.”

Journalists who believe they may have been targeted should take the following steps:

  • Document missed calls from unknown numbers to your WhatsApp account.
  • Update WhatsApp to the latest version of the app. You should receive a notification from WhatsApp to do this.
  • Update your phone’s operating system to the latest version.
  • If you are unable to update to the latest version of WhatsApp, uninstall the app until you are in a position to do so.
  • Monitor your WhatsApp account for any suspicious activity.
  • Consider switching to a more secure messaging app such as Signal. Be aware that some encrypted messaging apps can make you look suspicious in certain circumstances.
  • Journalists who are concerned about the vulnerability should stop using their phone, turn it off, and keep it in a metal drawer or Faraday bag–a pouch made of material that blocks wireless signals. Journalists who are working on sensitive stories or who feel that they may be targeted by a sophisticated adversary should change their phone every few months.

CPJ is working alongside our partners to understand the full scope of the threat. If you suspect that you have been targeted, please contact our Emergencies Response Team by emailing emergencies@cpj.org.

For more information on digital security, CPJ’s Safety Note on Digital Safety and see the digital safety information included in our Resource Center.

[EDITOR’S NOTE: This safety advisory was updated on May 16, 2019]