The discovery that hackers could snoop on WhatsApp should alert users of supposedly secure messaging apps to an uncomfortable truth: “End-to-end encryption” sounds nice — but if anyone can get into your phone’s operating system, they will be able to read your messages without having to decrypt them.
According to a report in the Financial Times on Tuesday, the spyware that exploited the vulnerability was Pegasus, made by the Israeli company NSO. The malware could access a phone’s camera and microphone, open messages, capture what appears on a user’s screen, and log keystrokes — rendering encryption pointless. It works on all operating systems, including Apple’s iOS, Google’s Android, and Microsoft’s rarely used mobile version of Window.
The targets didn’t even need to pick up, and there was often no trace in the call log. It seems the group targeted only a few high-profile activists—so you’re probably safe—but you should download the latest update, just in case.
WhatsApp, which is owned by Facebook, is too early into its own investigations of the vulnerability to estimate how many phones were targeted using this method, said a person familiar with the issue. As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-based human rights lawyer’s phone was targeted using the same method. Researchers at the University of Toronto’s Citizen Lab said they believed that the spyware attack on Sunday was linked to the same vulnerability that WhatsApp was trying to patch.
Facebook’s Tuesday urged users to upgrade to the latest version of its popular messaging app following a report that users could be vulnerable to having malicious spyware installed on phones without their knowledge.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesman said.
“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”