WhatsApp vulnerability threatens billions of users—what you need to know

With WhatsApp exploding past 1.5 billion monthly active users, it’s truly a modern tech giant (and Facebook’s $19 billion gamble on it doesn’t seem so foolhardy anymore, either). One of the big selling points for the app is international compatibility; one of the others is end-to-end encryption.

As privacy has become the watchword of modern society, that encryption has become increasingly attractive to all sorts of users — from consumers to government officials alike. But a new, insidious cyber attack uses that very blanket of security to infiltrate phones and steal all your valuable data.

What it is, what to watch out for, and what your business can learn from it:

WhatsApp & NSO Group vulnerability — what you need to know

The truly terrifying potential of this threat vector is the totality of the data compromised: according to The Guardian, “[o]nce installed on a phone, the software can extract all of the data that’s already on the device (text messages, contacts, GPS location, email, browser history, etc) in addition to creating new data by using the phone’s microphone and camera to record the user’s surroundings and ambient sounds, according to a 2016 report by the New York Times.”

So how does it infect user phones?

Allegedly, an Israeli cyber intelligence company — NSO Group — developed the spyware. The attack uses the WhatsApp call feature to transmit malicious code to a target device, even if the recipient doesn’t answer the call. It also can erase logs of the incoming calls, according to the Financial Times report.

What can your business learn from this?

For one, always, always, always update and patch your apps and operating systems when developers release new ones! I would venture that most app upgrades at this juncture are security patches, not redesigned core products.

Secondly, don’t assume third party apps are secure, even when offering buzzwords like ‘end-to-end’ encryption — that’s for messaging within WhatsApp for instance. That doesn’t protect calls (at this juncture). So you need to read the fine print (or employ folks who specialize in handling these things for you) to make sure all aspect of installed apps are vetted through proper security channels.And finally, BYOD (or even enterprise-managed device hardware) are susceptible to bugs, malware or spyware from non-approved apps. You need to make sure your security team (or partner) is consistently vetting and testing installed apps across the hardware deployment to make sure flaws like this one don’t cripple your entire network.