A recently identified bug in WhatsApp allows a bad actor to install spyware on your phone simply by calling you over the popular messaging app. You don’t even need to answer the call, as long as your phone receives it.
The newly discovered flaw, designated CVE-2019-3568 in list of critical vulnerabilities and exposures takes advantage of a software flaw that enables a buffer overflow to occur.
When this happens, if the malicious party is clever enough, the buffer overflow can be exploited to overwrite some of the memory used by the app and allow malicious code to execute. For example, the hacker could install spyware that activates the camera and microphone on your device, making it into a listening post.
All the bad actor needs to do is initiate a VoIP call that has a “specially crafted series of SRTCP packets sent to a target phone number”.
According to a security advisory from Facebook, the bug affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
If you’re a WhatsApp user, don’t wait for automatic updates to happen. Go to your preferred app store and pull the latest update down now.