WhatsApp's security webpage brags that privacy and security are in its DNA. But those boasts turned out to be hollow, with the messaging platform saying on Tuesday that it was suing an Israeli surveillance firm NSO Group for reportedly spying on hundreds of its users globally through its spyware 'Pegasus.'
All hell broke loose with the messaging giant's revelation, creating a furore about the huge security breach in the encrypted platform. Without disclosing the names of the compromised accounts, the Facebook-owned platform said around 1,400 users across four continents were hit, including Indian journalists and human right activists.
The 'highly sophisticated cyber-attack' reportedly took place in May 2019, exploiting WhatsApp's video calling system. The hackers were able to install the malware in users' phones, including iPhones and Android devices, through loopholes with just a missed call, without leaving any trace on the gadget.
The spyware Pegasus/Q-suite was developed by NSO Group, also known as Q Cyber Technologies, an Israeli firm that claims to help the government with technology in fighting terror and unlawful activities. However, cybersecurity experts from Toronto-based academic group Citizen Lab have drawn attention to the threats posed by the Israeli firm.
How to safeguard yourself from Pegasus
In May 2019, after identifying the security breach, WhatsApp quickly tried to fix the loophole with an app update, which made the spyware's efforts to penetrate into users' accounts futile.
Facebook released an advisory regarding the same. "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number," the advisory read.
WhatsApp versions vulnerable to the hack
WhatsApp for Android prior to v2.19.134
WhatsApp Business for Android prior to v2.19.44
WhatsApp for iOS prior to v2.19.51
WhatsApp for Windows Phone prior to v2.18.348
WhatsApp for Tizen prior to v2.18.15
In other words, your WhatsApp is secured if it is running on the latest updated version i.e.,
Business for Android v2.19.108
There is a caveat, though. Avoid clicking on messages from unknown numbers since that can still lead to the software being installed.
Why Indians should be worried
At least a dozen Indians were hacked with the malware, including journalists, human rights activists and lawyers. WhatsApp in collaboration with Citizen Lab reached out to all the affected users and informed them about the malicious attack. The victims include Nihal Singh Rathod, Bela Bhatia, Sidhant Sibal, Anand Teltumbde and Shubhranshu Choudhary.
These users received suspicious WhatsApp calls or messages along with links, clicking on which gave the Pegasus client access to the target's private information on their phone.
In response, the government of India reached out to the messaging platform asking for an explanation about the breach and measures taken to safeguard the privacy of millions of Indians. IT Minister Ravi Shankar Prasad assured that the government is committed to protecting the privacy of Indian citizens. Soon, the issue took a political turn in India, with the opposition accusing the Centre of snooping into the personal accounts of journalists and human rights activists.