Messenger: Whatsapp vulnerability threatens billions of users

10/11/2018
G DATA Blog

A vulnerability in Whatsapp can currently only cause the app to crash. However, criminals could further develop the current exploit for malicious purposes. We provide an overview of the situation.

The Facebook-operated messenger service Whatsapp currently has a dangerous security vulnerability. Attackers who exploit the problem can execute code on the smartphone by means of a simple Whatsapp call. The currently known demo exploit only crashes the app in a controlled manner. However, we suspect that it is only be a matter of time before this proof-of-concept will be further developed for malicious intentions.

Whatsapp has fixed the vulnerability in current software versions. Apple's operating system iOS as well as the Android versions of Whatsapp are affected.. Whoever uses the version with the number 2.18.302 under Android is on the safe side. The same applies to iPhones with version 2.18.93. However, it is currently unclear whether the problem can actually be exploited under iOS.

"Users should check their Whatsapp version and, if possible, install updates via the Play Store," says Alexander Burris, Lead Mobile Researcher at G DATA. "Since this potentially affects several billion users, the vulnerability is an attractive target for criminals. Attackers would be limited to accessing the device using Whatsapp's permissions for the time being. Only by combining it with another attack they would be able to take over the device. That's why it's even more important to have a device at the latest patch level."

Not all users get the update

According to a report by German news portal Heise, however, not all Android users are currently offered the latest version of the software via Google's Play Store. Therefore, users who do not yet have the latest version should regularly check for available updates. G DATA SecurityLabs urge users to not install the patched application from sources outside the Play Store, as this method carries additional security risks.

The error is located in the memory management of the video conferencing system integrated in Whatsapp. It can be triggered by making a specific call to the targeted phone. The problem was found by Nathalie Silvanovich of Google's Project Zero. The patches have been released by Whatsapp on September 28 and October 3 respectively.