ANNOUNCEMENT

Introduction

On May 14, 2019, WhatsApp has announced a vulnerability that could be used to target selected WhatsApp users. The National Cyber Coordination and Command Centre (NC4) would like to advise all Malaysian WhatsApp users to update their WhatsApp application to the latest version as recommended by WhatsApp to mitigate this issue.

Impact

Information leakage.

Brief Description

WhatsApp has recently released a statement of a security flaw found in their mobile application, which allows attackers to inject spyware into targets' smartphones through a WhatsApp phone call to the target's number. It does not require the target to pick up the phone call for it to be infected. A successful attacker can hijack the application to run malicious code that pores over encrypted chats, eavesdrops on calls, turns on the microphone and camera, accesses photos, contacts, and other information on a device and could potentially further compromise the target's device. Call logs can also be altered to hide the method of infection.

The vulnerability, which has been classified as CVE-2019-3568, is a buffer overflow vulnerability in WhatsApp VOIP stack allows remote code execution via specially crafted series of SRTCP packets sent to a target phone number. WhatsApp has released the latest update of the mobile applications on May 14, 2019 to fix this vulnerability.

Affected Products

iOS and Android platform and affecting the following version of WhatsApp:

1. WhatsApp for Android prior to v2.19.134;
2. WhatsApp Business for Android prior to v2.19.44;
3. WhatsApp for iOS prior to v2.19.51;
4. WhatsApp Business for iOS prior to v2.19.51;
5. WhatsApp for Windows Phone prior to v2.18.348; and
6. WhatsApp for Tizen prior to v2.18.15.

Recommendation

NC4 advises everyone who uses the WhatsApp to take the following actions:

1. Update your mobile applications with the latest security patches and updates immediately;
2. Update the operating system of the mobile devices (iOS, Android, Tizen) with the latest security patches and updates immediately;
3. Switch on automatic updates on your mobile devices to get the latest updates;
4. For Android users, please visit the Play Store, click on menu and choose 'My apps and Games'. Tap update next to the WhatsApp messenger.
5. For iOS users, please visit the App Store and select Updates. Select WhatsApp to update; and
6. For Windows 10 users, please visit the Microsoft store and click on 'Menu'. Select 'My Library' and tap 'Update' next to WhatsApp.

Reference

1. CVE-2019-3568
   • https://www.facebook.com/security/advisories/cve-2019-3568
   • https://nvd.nist.gov/vuln/detail/CVE-2019-3568
2. It's 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware
   https://www.theregister.co.uk/2019/05/14/whatsapp_zero_day/

15-05-2019