This is how attackers were able to spread spyware through WhatsApp with just a phone call

This is how attackers were able to spread spyware through WhatsApp with just a phone call


  • A recently fixed vulnerability in WhatsApp allowed attackers to spread spyware to mobile devices with just a phone call.
  • The attacker exploited a vulnerability known as buffer overflow, a type of exploit that's existed for decades.
  • Visit Business Insider's homepage for more stories.

Earlier this week, it was reported that a vulnerability in Facebook's popular WhatsApp messaging service made it possible for attackers to spread spyware to smartphones via phone calls made through the app.

To do so, hackers exploited what is known as a buffer overflow vulnerability within WhatsApp, which the company said it quickly fixed and was first reported by The Financial Times. A buffer overflow is exactly as its name implies; it's an issue that can occur when an app is flooded with more data than it can store in its buffer, or temporary storage space.

"A buffer overflow occurs when a programming error allows more data to be written to a given area of memory than can actually be stored there," Rik Ferguson, vice president of security research at security software firm Trend Micro, told Business Insider via email. "The extra data flows into adjacent storage, corrupting or overwriting the data previously held there, and can cause crashes, corruptions, or serve as an entry point for further intrusions."

In the case of the WhatsApp attack, intruders exploited the buffer overflow bug through the app's phone call function to inject spyware onto smartphones unknowingly, the Financial Times reported. The exploit would work even if the victim did not answer the call, the report said.


To understand how this is possible, it helps to know how WhatsApp's calling functionality works. Like many popular messaging apps, WhatsApp employs a widely used technology known as Voice over Internet Protocol (VoIP), which allows users to make and receive phone calls over the internet rather than through a standard telephone line.

When you receive a phone call through WhatsApp, the app sets up the VoIP transaction and the encryption that goes along with it, Ferguson said. It then notifies the user of the incoming call and prepares to either accept, decline, or ignore the call based on the user's input.

"It is my understanding that the buffer overflow exploit occurs during this phase, which is why the recipient does not need to answer the call to be successfully compromised," Ferguson said.

Buffer overflow vulnerabilities have existed for decades, even dating back to the famous Morris Worm from 1988, which is widely perceived as being one of the earliest iterations of the modern internet-spread virus. According to Ferguson, instances of buffer overflow exploits have been documented as far back as 1972, and programming languages such as C and C++ are particularly prone to them even today. "Finding them is difficult and successful exploitation even more complex, but attackers and researchers still regularly do so," he said.

The malicious code used in the WhatsApp attack was developed by Israeli firm NSO Group, which develops a product called Pegasus that can activate a smartphone's camera and microphone, the report said. The firm's software has been previously linked to attempts to manipulate devices belonging to activists. In 2016, for example, prominent human rights activist Ahmed Mansoor received a text message with a link that would have installed software from NSO Group on his phone, watchdog organization Citizen Lab discovered.


WhatsApp hasn't said how many of the apps 1.5 billion users have been affected, but it's encouraging all users to upgrade to the latest version of the app.