There’s a lot of talk about protecting yourself from hacking: don’t download attachments or click links sent from people you don’t know, or the use of strong, unhackable passwords.
But a new threat cropped up, Tuesday, after reports said hackers were using the messaging app WhatsApp to gain access to phones, even if the user didn’t do anything to allow it.
The Financial Times reported that Israeli-made surveillance spyware called Pegasus was installed on phones by ringing up targets using WhatsApp’s call feature.
The software was installed even if you didn’t pick up the call, and the calls often disappeared from the call logs, the Financial Times reported.
Most hacks commonly reported come from data leaks, or phishing attempts – these usually focus on making money. Credit card data, passwords or banking information is then used to make the hackers money.
But in this case, a WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance.”
“The bad thing about this vulnerability, [which] is very different from the other vulnerabilities, is that normally to install the spyware on any device you need some user interactions,” Iman Sharafaldin, a cybersecurity researcher at the Canadian Institute for Cybersecurity in New Brunswick said.
That user interaction is something like clicking a link from a malicious email or SMS message, but Sharafaldin said that “in this case actually you don’t need any of them.”
The software, called a “no-click attack,” was instead installed “remotely” – without any input from the user.
“The attack was also very stealthy, given that it required no user input (a no-click attack) and allowed hackers to access target devices discreetly,” Andrew Tsonchev, director of technology at AI firm Darktrace, said in an email.
“It challenges our expectations of which platforms are secure and which are not.”
The company could not say how many people might have been affected, but officials believe only a “select number of users were targeted through this vulnerability by an advanced cyber actor.”
Officials said they’re “deeply concerned about the abuse” of such surveillance technologies and that it believed human rights activists may have been the targets.
Scott Storey, a senior lecturer in cybersecurity at Sheffield Hallam University, believes most WhatsApp users were not affected since this appears to be governments targeting specific people.
“For the average end user, it’s not something to really worry about,” he said, adding that WhatsApp found the vulnerability and quickly fixed it. “This isn’t someone trying to steal private messages or personal details.”
Still, WhatsApp users are urged to update their app; a patch to fix the security vulnerability was released, Monday.
To do that, users can go to their Google or Apple app store, finding WhatsApp, and clicking “update.”
The security breach was also reported to the U.S. Department of Justice and Ireland’s Data Protection Commission.
Tips for Users:
Sharafaldin also shared some tips for users to protect from all types of security vulnerabilities.
“My suggestion is that if you have sensitive data on your phone please restrict any application from accessing your camera,” he said.
“I’m not talking about just this spyware, [but] about every single camera and microphone access in your application settings.”
He also suggested making sure to delete messages that contain sensitive data. For example, if you share passwords over text or on a messaging app, remember to go back and delete the message.
Users should also be looking for signs their phone is infected such as a spike in battery use or data usage.
“The way that spyware works is they disable the deeper sleep mode and they constantly spy on you,” Sharafaldin said, meaning they are constantly using battery power and data.
He also suggested getting monitoring software like the Lookout app.