A vulnerability in WhatsApp makes it possible to hijack a smartphone with a single video call. Potentially affected are billions of WhatsApp users.
With a single video call, an attacker could exploit a vulnerability that was dormant in the code of the messenger WhatsApp. Google’s Project Zero, a team of elite hackers, has discovered this bug and released it now – a week after WhatsApp released a bug-fix version of iOS. The mature Android update has been around since September 28th.
The mistake is in the memory management of the video conferencing. A specially prepared RTP package can confuse them so that the sender can inject their own code and thus hijack the smartphone. Natalie Silvanovich from Project Zero has discovered the flaw and documents it with an example exploit that can cause WhatsApp to crash in a controlled manner. This is the common way to demonstrate top-level bugs.
Check and update now
It can be expected that malicious hackers can expand the harmless demo exploit quite quickly so that he installed about spy software on the device. Therefore, all WhatsApp users should now check if they have the latest version installed and install updates available from official sources. WhatsApp is currently 2.18.93 for iPhones and 2.18.302 for Android (or 2.18.306 for Google’s Play Store). All versions released since September 28 should be safe. The currently installed one can be found under “Settings / Help” at the top of the page header.
Update 13:10, 10/10/2018: For some users, Google’s Play Store only offers the WhatsApp version 2.18.293 from 24.09.2018. According to Google’s Project Zero, it should still be vulnerable. Affected users can either obtain the latest version directly from WhatsApp. You may need to turn off the security setting that prohibits installing apps from insecure sources. We do not recommend that. Since there are no known acute attacks on this gap, it is better to check tomorrow if the newer, secured version is available in the Play Store. Until then you can protect yourself by not accepting video calls – at least not from unknown persons.