WhatsApp Active Exploitation

A vulnerability in WhatsApp has been exploited in the wild prior to the releases of a recent security patch[1]. When exploited, CVE-2019-3568 allows for remote code execution without authentication or user interaction. Threat actors have been identified using this vulnerability to deliver spyware to select targets. WhatsApp addressed this issue on their servers on the 10^th of May and publicly released patches for mobile devices on May 13^th. WhatsApp users are recommended to update the app to the latest version immediately before additional threat actor groups adopt this vulnerability.

What we’re doing about it

• The eSentire Threat Intelligence Team is monitoring this issue for additional details

What you should do about it

• Ensure corporate mobile devices with WhatsApp installed are running the most up-to-date version

Additional information

CVE-2019-3568 is a buffer overflow vulnerability affecting the WhatsApp VOIP stack. It can be exploited by threat actors sending specially crafted SRTCP packets sent to targeted phone numbers [2]. When executed, the attack appears as a phone call to the WhatsApp number. The user does not need to answer the call for the attack to be successful.

The only available indicator of this attack, at this time, is missed calls from a Swedish phone number (+46). If the attack is successful, these call logs are deleted by the threat actor after infection.

Affected Versions:

• WhatsApp for Android prior to v2.19.134
• WhatsApp Business for Android prior to v2.19.44
• WhatsApp for iOS prior to v2.19.51
• WhatsApp Business for iOS prior to v2.19.51
• WhatsApp for Windows Phone prior to v2.18.348
• WhatsApp for Tizen prior to v2.18.15

Resources:

[1] https://www.nytimes.com/2019/05/13/technology/nso-group-whatsapp-spying.html

[2] https://www.facebook.com/security/advisories/cve-2019-3568