Answering a video call in WhatsApp might lead to account theft

by Julie Splinters - -

WhatsApp hack leads to compromised accounts after answered video call from cyber criminals

Recently discovered bug[1] uncovered a vulnerability in WhatsApp for iOS and Android. Users who answer the video call from an unknown source might be at risk of having their accounts compromised. Once the company received the notification, they immediately patched the security bug; thus, those who updated their phone and tablet apps should now be safe.

The bug did not affect the desktop version of the application because the vulnerability relies on Real-time Transport Protocol, which is only used for Android and iOS, while WhatsAppWeb utilizes WebRTC.[2]

Google security researcher Natalie Silvanovich discovered the flaw back in August and urgently reported about the findings to WhatsApp. The whole principle of hacking the smartphone, in this case, is that one video call gives an opportunity to take full control of the phone remotely when a user answers. 

Natalie explained the issue in her report:

Restart WhatsApp and call the target device and pick up the call. The device will crash in a few seconds.

A specially crafted Real-time Transport Protocol triggered an error

The critical vulnerability in WhatsApp messenger application allowed criminals to remotely control the program and then device by initiating the video call via WhatsApp. The issue with a memory heap overflow triggered when the user gets a malformed RTP[3] packet and a video call request on the app. When answered, the call initiates corruption error and crashes the mobile app as well as the mobile phone.

Another Google Project Zero researcher claims[4] that this issue is a big deal and people should be concerned because all the hacker needs is an answered call. After that, all encrypted conversations stop being private.

As a response to Natalie Silvanovich, on his Twitter account Tavis Ormandy said:

This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp.

The bug in WhatsApp discovered back in August wasn't the first

This incident revealed that hacker needs only one sensitive credential like your email logins or phone number to hack your account and then spy on you further. The vulnerability in this messaging app was reported to WhatsApp people as soon as Silvanovich discovered the bug back in August this year. 

The popular messaging app developers patched the bug on September 28th for Android devices, while iOS users could update the app on October 3rd. Thus, if you still haven't updated your remote device, it is a good time to do it now. Additionally, not answering suspicious calls is a good idea overall.

Unfortunately, a few months ago another flaw was discovered in the messaging app.[5] This issue involved the way mobile app connects with WhatsApp Web because it allowed users to modify the content of messages sent in a group and private conversations. 

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References


Files
Software
Compare
Like us on Facebook