WhatsApp Fixes Vulnerability That Let Hackers Secretly Install Spyware On Mobile Devices

WhatsApp has fixed a vulnerability involving malicious MP4 video files that could potentially allow an attacker to remotely access messages and files stored in the app.

According to a new report from ZDNet, the flaw — identified as CVE-2019-11931 — made it possible for attackers to send a specially crafted MP4 file to remotely execute malicious code on the victim’s device without any intervention.

Basicallt, if a person had sent you an MP4 file on WhatsApp, you should guard against downloading it as hackers could have used a critical vulnerability in the app to execute a snooping attack on both Android and iOS devices. The specially-crafted MP4 file triggers the remote code execution (RCE) and denial of service (DoS) cyber-attack.

“The vulnerability is classified as ‘Critical’ severity that affected an unknown code block of the component MP4 File Handler in WhatsApp,” reported GBHackers on Saturday.

Facebook has issued an advisory, saying “A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE.”

According to Facebook, the list of affected app versions are as follows:

  • Android versions before 2.19.274
  • iOS versions before 2.19.100
  • Enterprise Client versions before 2.25.3
  • Windows Phone versions before and including 2.18.368
  • Business for Android versions before 2.19.104
  • Business for iOS versions before 2.19.100

“WhatsApp is constantly working to improve the security of our service,” said a WhatsApp representative in a statement. “We make public, reports on potential issues we have fixed consistently with industry best practices. In this instance, there is no reason to believe users were impacted.”

The scope, severity, and impact of the newly patched vulnerability appear similar to a recent WhatsApp VoIP call vulnerability that was exploited by the Israeli company NSO Group to install Pegasus spyware on nearly 1400 targeted Android and iOS devices worldwide.