65°F
weather icon Mostly Cloudy

WhatsApp flaw let spies control phones without any interaction

Spyware crafted by a sophisticated group of hackers-for-hire took advantage of a flaw in the popular WhatsApp communications program to remotely hijack dozens of targeted phones without any user interaction.

The Financial Times identified the hacking group as Israel’s NSO Group, which has been widely condemned for selling surveillance tools to repressive governments.

WhatsApp all but confirmed the identification, describing hackers as “a private company that has been known to work with governments to deliver spyware.” A spokesman for the Facebook subsidiary later said: “We’re certainly not refuting any of the coverage you’ve seen.”

The spyware did not directly affect the end-to-end encryption that makes WhatsApp chats and calls private. It merely used a bug in the WhatsApp software as an infection vehicle. The malware allows spies to effectively take control of a phone — remotely and surreptitiously controlling its cameras and microphones and vacuuming up personal and geolocation data. Encryption is worthless once a phone’s operating system has been violated.

Hackers are always looking for flaws in apps and operating systems that they can exploit to deliver spyware. State-run intelligence agencies including the U.S. National Security Agency invest tens of millions on it. Indeed, Google’s ProjectZero bug-hunting team scoured WhatsApp last year looking for vulnerabilities but did not find any. Instead, it was WhatsApp’s security team that found the flaw.

The development comes as Facebook looks to triple down on its messaging services by merging WhatsApp, Facebook Messenger and Instagram Direct and bringing WhatsApp-level encryption to the others. The attack would not affect Facebook’s ability to do that.

The malware was able to penetrate phones through missed calls alone using the app’s voice calling function, said the WhatsApp spokesman, who was not authorized to be quoted by name. He said an unknown number of people — an amount in the dozens at least would not be inaccurate — were infected with the malware, which the company discovered in early May, the spokesman said.

John Scott-Railton, a researcher with the internet watchdog Citizen Lab, called the hack “a very scary vulnerability.”

“There’s nothing a user could have done here, short of not having the app,” he said. The vast majority of hacks involve some sort of user interaction, such as clicking on an infected link.

The WhatsApp spokesman said its flaw was discovered while “our team was putting some additional security enhancements to our voice calls.” He said engineers found that people targeted for infection “might get one or two calls from a number that is not familiar to them. In the process of calling, this code gets shipped.”

WhatsApp, which has more than 1.5 billion users, immediately contacted Citizen Lab and human rights groups, quickly fixed the issue and pushed out a patch. He said WhatsApp also provided information to U.S. law enforcement officials to assist in their investigations.

“We are deeply concerned about the abuse of such capabilities,” WhatsApp said in a statement.

Although WhatsApp urged all users to update the program on their phones, only a minuscule percentage run the risk of being targeted by such malware.

NSO said in a statement that its technology is used by law enforcement and intelligence agencies to fight “crime and terror.”

“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system,” the statement said. A spokesman for Stephen Peel, whose private equity firm Novalpina recently announced the purchase of part of NSO, did not return an email seeking comment.

The revelation adds to the questions over the reach of the Israeli company’s powerful spyware.

Prior to the latest WhatsApp revelation, NSO’s spyware has repeatedly been found deployed to hack journalists, lawyers, human rights defenders and dissidents. Most notably, the spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul last year and whose body has never been found.

Several alleged targets of the spyware, including a close friend of Khashoggi and several Mexican civil society figures, are currently suing NSO in an Israeli court over the hacking.

On Monday, Amnesty International — which said last year that one its staffers was also targeted with the spyware — said it would join in a legal bid to force Israel’s Ministry of Defense to suspend NSO’s export license.

That makes the discovery of the vulnerability particularly disturbing because one of the targets was a U.K.-based human rights lawyer, the attorney told The Associated Press.

The lawyer, who spoke on condition of anonymity for professional reasons, said he received several suspicious missed calls over the past few months, the most recent one on Sunday, only hours before WhatsApp issued the update to users fixing the flaw.

In its statement, NSO said it “would not or could not” use its own technology to target “any person or organization, including this individual.”

———

Follow Frank Bajak at http://twitter.com/fbajak and Raphael Satter at http://twitter.com/razhael

Don't miss the big stories. Like us on Facebook.
Business Videos
How much do Las Vegas casino CEOs make?
Las Vegas gaming CEOs made anywhere between $1 million and $24 million last year, according to company filings with the U.S. Securities and Exchange Commission. ((Las Vegas Review-Journal)
30-year-old Rio needs a little TLC
Nearly 30 years after the Rio opened, the red and blue jewel that helped catapult Las Vegas to a new level with its buffet and nightclub has lost its status along with its shine.
The latest on the Drew Las Vegas - VIDEO
Eli Segall recounts his tour of the Drew Las Vegas, formerly the Fontainebleau, on the Las Vegas Strip. (Michael Quine/Las Vegas Review-Journal)
Pinball Hall of Fame to move near south Strip
Operators of the Pinball Hall of Fame have been approved to build a new, larger arcade near the south edge of the Strip on Las Vegas Boulevard near Russel Road. (K.M. Cannon/Las Vegas Review-Journal) @KMCannonPhoto
National Hardware Show underway Las Vegas
The National Hardware Show kicked off Tuesday at the Las Vegas Convention Center (Mat Luschek / Review-Journal)
Caesars for sale?
Caesars Entertainment Corp. has been swept up in takeover speculation since the company’s share price tumbled last year amid disappointing earnings and concerns over a recession. Amid the decline, hedge funds scooped up shares. Billionaire activist investor Carl Icahn began buying shares of Caesars as early as January. Icahn acquired nearly 18 percent by mid-March. In February Icahn called on the Caesars board to study a sale as a way to boost shareholder value.
Las Vegas home prices
Las Vegas home prices grew fastest among major markets in February for the ninth straight month. But amid affordability concerns, the growth rate has slowed down. Southern Nevada prices in February were up 9.7% from a year earlier, according to the latest S&P CoreLogic Case-Shiller index. The last time Las Vegas' price growth fell below 10% was in September 2017, S&P Dow Jones Indices reported.
Free Parking Coming To Wynn
Free parking will come to the Wynn and Encore resorts on May 1, 2019. (Mat Luschek / Review-Journal)
Founding Venetian employees talk about 20 years at the Strip resort
The Venetian, which opened May 3, 1999, is celebrating 20 years on the Las Vegas Strip. Seven original employees talk about opening the luxury resort and working there for two decades. (K.M. Cannon/Las Vegas Review-Journal) @KMCannonPhoto
Circa aiming for December 2020 opening
The 1.25-million-square-foot property will have 44-stories and 777-rooms. It will also have a separate nine-story, 1,201-space parking garage.
Boxabl official explains the building concept
Boxabl business development manager Galiano Tiramani shows off a room built by his company. (Blake Apgar/Las Vegas Review-Journal)
TI/Mirage Tram reopens
The tram that shuttles guests between TI and Mirage reopened this week after being closed for much of 2018.
Las Vegas Convention Center expansion taking shape
Renderings and actual footage show how the Las Vegas Convention Center is evolving.
Former Starbucks CEO Howard Schultz at Las Vegas convention
Former Starbucks CEO and potential presidential candidate Howard Schultz spoke at the Epicor Insights user conference at Mandalay Bay Convention Center Wednesday, April 17, 2019. (K.M. Cannon/Las Vegas Review-Journal) @KMCannonPhoto
Drew Las Vegas to open in the second quarter of 2022
The 67-story Drew Las Vegas is slated to open in the second quarter of 2022 at the north end of the Las Vegas Strip. (Michael Quine/Las Vegas Review-Journal)
NAB Day 1 (Time Lapse)
NAB kicked off at the Las Vegas Convention Center on Monday, April 8, 2019. (Mat Luschek / Review-Journal)
National Association of Broadcasters Show shows 1mm thick 8K TV with 22.2 channel digital sound
Japan’s NHK Science & Technology Research Laboratories booth featured a 1mm thick 8K TV system used in conjunction with a 22.2 channel digital sound system at the National Association of Broadcasters Show at the Las Vegas Convention Center. (K.M. Cannon/Las Vegas Review-Journal) @KMCannonPhoto
Nevada shoppers react to Smith’s no longer accepting Visa credit cards
On March 1, Smith’s announced that it would no longer be accepting Visa credit cards at any of its 142 supermarkets, including the 45 in Nevada.
Massachusetts Gaming Commission asks how long Wynn executives knew about misconduct
Business reporter Rick Velotta gives an update on the adjudicatory hearing on the suitability of Wynn Resorts to retain its gaming license in Massachusetts.
Henderson app developer part of Startup in Residence
Henderson based developers of the app On Point Barricade are taking part in Startup in Residence, a North America program dedicated to pairing tech companies with governments. (K.M. Cannon/Las Vegas Review-Journal) @KMCannonPhoto
Sam's Town employees and customers talk of their love for the iconic casino
Longtime Sam's Town employees and customers love each other and love their casino. (K.M. Cannon/Las Vegas Review-Journal) @KMCannonPhoto
Las Vegas apartments rents
Las Vegas’ apartment market has accelerated in recent years. Developers are packing the suburbs with projects, landlords are on a buying spree, and tenants have filled buildings.
William Boyd talks about the birth of Sam's Town
On the eve of the 40th anniversary of Sam's Town, William Boyd, executive chairman of Boyd Gaming and son of hotel namesake Sam Boyd, talks about how the casino became one of the first local properties in Las Vegas. (K.M. Cannon/Las Vegas Review-Journal) @KMCannonPhoto
High Roller observation wheel turns five
The world’s tallest observation wheel celebrates it’s fifth year on Sunday, March 31, 2019. (Michael Quine/Las Vegas Review-Journal) @Vegas88s
Escape Room Industry Growing In Las Vegas
Escapology employees discuss the growing escape room industry in the U.S. and Las Vegas. (Bailey Schulz/Las Vegas Review-Journal)
Impact of parking fees on visiting the Las Vegas Strip
There are no data showing a relationship between Strip resort and parking fees and the number of out-of-state visitors to Las Vegas. But there are data showing a relationship between Strip parking fees and the number of local visitors to the the Strip. ‘’As a local, I find myself picking hotels I visit for dinner or entertainment, based on whether they charge for parking or not,”’ said David Perisset, the owner of Exotics Racing. ‘’It is not a matter of money, more of principle.’’ A 2018 survey by the Las Vegas Global Economic Alliance found 36.9 percent of Clark County residents reported avoiding parking at Strip casinos that charge for parking. 29.1 percent reported avoiding using any services from a Strip casino that charges for parking.
MGM's sports betting deals
MGM Resorts International signed a sports betting sponsorship agreement with the NBA in July It was the first professional sports league to have official ties with a legal sports betting house. The deal came just two months after the U.S. Supreme Court overturned a law prohibiting sports betting in most states. In October, MGM became the first gaming company to sign a sports betting partnership with the NHL. In November, MGM became the first gaming company to sign a sports betting partnership with the MLB. Financial terms of Tuesday’s deal and earlier partnerships have not been announced.
Faraday puts Las Vegas land on the market
Nearly two years after Faraday Future bailed on its North Las Vegas auto factory, the company has put its land up for sale. (Michael Quine/Las Vegas Review-Journal)
El Cortez owner Kenny Epstein on running the iconic property
Kenny Epstein, owner of the El Cortez Hotel in downtown Las Vegas, talks about Jackie Gaughan mentorship and answers rumors about bodies in the basement at the mob-era casino. (K.M. Cannon/Las Vegas Review-Journal) @KMCannonPhoto
LVCVA recommends construction of underground people mover
The Las Vegas Convention and Visitors Authority announced the recommendation for an underground people mover for the convention center. The system would have the potential to expand and connect Downtown and the resort corridor all the way to McCarran. (Michael Quine/ Las Vegas Review-Journal)
THE LATEST
Texas church opens new sanctuary 18 months after massacre

Pastor Frank Pomeroy told the crowd they were celebrating God’s glory while remembering “those who have paid a price for this incredible facility.”

Graduation speaker pledges to pay class of 2019 student debt

“On behalf of the eight generations of my family that have been in this country, we’re gonna put a little fuel in your bus,” Robert F. Smith told the graduates.