If you have updated the WhatsApp app on your phone since yesterday, you are now secure. The world’s largest instant messaging application was yesterday found to have put its users at risk, because of a vulnerability in its code. The company patched the app through an update, and encouraged users to update immediately.
What WhatsApp faced yesterday though, is called a “zero-day exploit” in the cybersecurity space. A zero-day exploit is a vulnerability in software that was previously unknown to everyone, including users and the company. According to security experts, there is almost nothing that a user can do to protect against such threats, except the usual best practices.
“It’s hard to stop zero day threats… It’s called zero day because its known but doesn’t have a patch,” said Ashish Singh, an ethical hacker and CEO of software and app development firm bZird. “An anti virus may add some level of protection but it’s usually ineffective in case of zero days,” he added.
Zero-day vulnerabilities cannot be patched unless they’re made public, or found by someone who informs the software developer of the same. Security experts agree that no app or software is completely bug free, meaning this could have happened to any application. “It’s safe using WhatsApp, but like any software it can have bugs that might be exploited. There is no bug free software alternative,” said Oded Vanunu, Head of Products Vulnerability Research at Checkpoint Security.
Victor Chebyshev, Anti-Malware expert at Kaspersky Labs says if you’re afraid that your phone may have been compromised without you knowing it then a “hard reset” of the device is advised, restoring it to the factory settings. “Right after that (after factory reset), you will need to install the antivirus solution again to check if the factory reset procedure was able to remove all pieces of malware,” he added.
It’s also worth noting that the vulnerability did not concern how WhatsApp encrypts your messages. Even if an attacker did install the spyware, it would give them access to your phone, but they wouldn’t be able to read incoming and outgoing WhatsApp texts on your phone. “WhatsApp Encryption is not relevant to this attack, the encryption works correctly and it’s protecting from eavesdropping,” Checkpoint’s Vanunu clarified.
The vulnerability found in WhatsApp allowed attackers to place a spyware on your phone by placing a call (irrespective of whether you took said call) through the app’s VOIP (voice-over internet protocol) service. The spyware would also delete the call from the user’s call logs, so that no trace of its existence on your phone was left.
WhatsApp patched the application and has since shared relevant details with authorities in Europe and the US for further investigation.