There are currently quite a number of messaging services, a handful of them from Google itself, but few have withstood the test of time and of the market. WhatsApp, even before its acquisition by Facebook, was already making waves but its popularity and notoriety rose after being snatched up by the social networking giant. It prided itself for its end-to-end encryption, one of the few mainstream platforms to advertise such a feature, but that turned out to be pretty useless if a vulnerability allowed certain actors to inject spyware into phones by simply ringing up the phone.
Making phone calls to trigger invasive bugs seems to be the trend these days. At the beginning of the year, Apple was hit by a rather scandalous Group FaceTime bug that let another party spy on the user via audio even when they don’t take the call. Then just last month, Skype for Android would automatically answer calls before you can even reject them, a bug in its auto-answering feature.
Now it seems that a WhatsApp call could be just as dangerous, especially if that call is being placed on an activist’s or lawyer’s phone. According to the Financial Times’ report, simply ringing the recipient’s phone via WhatsApp is enough to transmit the Pegasus spyware into phones even if the call isn’t answered. And like any good spy tool, it removes traces of that missed call from the phone’s logs.
Complicating matters is that Pegasus is developed by Israeli-based NSO Group, a company known for selling such commercial spyware to governments and intelligence agencies. Its publicly stated goal is to help authorities fight terrorism and crime but it doesn’t require much to imagine how it can be used for other purposes by other, less conscientious elements as well. The company is currently facing lawsuits over how it has provided such tools for repressive countries to track activists and the organizations that support them.
For its part, WhatsApp has frantically worked to patch up the hole ever since the vulnerability was reported earlier this month. Though it is “just” a case of a bug gone terribly wrong, WhatsApp should probably take its role more seriously especially considering how it is being used for sensitive purposes that could even involve lives.