WhatsApp Vulnerability Patched after NSO Groups Claims Buffer Overflow Attacks

Earlier this week, Facebook announced that a major vulnerability had been patched after various users reported that their phones had been hijacked. The bug, which allowed hackers to infiltrate and installs malicious apps on the users’ phone, is well-known to developers and cybersecurity experts.

Some sources claim that this type of vulnerability dates back to the early 70s, being associated with the infamous Morris worm attack of 1998. WhatsApp quickly promptly patched the bug.

A Virus That Spreads through Phone Calls

In an interview with Business Insider, Rik Ferguson, the VP of cybersecurity company Trend Micro, stated that the ‘viral code’ was able to get passed WhatsApp’s end-to-end encryption protocol by taking advantage of a well-known bug called buffer overflow.

According to Ferguson, this ‘viral code’ could literally spread through phone calls. What’s even more daunting is the fact that the WhatsApp user didn’t even have to answer the call for his device to become compromised.

So far, no user has reported data loss or money missing from their bank accounts, but, as a precaution, the company advises everyone to hard-reset their phones to purge any remaining malicious code in addition to changing their passwords.

As the VP explained, NSO Group, who, allegedly, orchestrated the attack, would target a very specific bug in the app’s code. When data is transmitted, it’s stored in a memory buffer.

Now, if the buffer’s no longer capable of holding information, this is automatically written on adjacent storage devices such as the phone’s internal memory or the SD card. So far, so good. But what’s this got to do with hackers?

This is what we might call a behind-closed-doors process, meaning that the user has no control over whatsoever. What it all boils down to is that the buffer indiscriminately spits out any kind of data, regardless if it’s safe or malicious.

Hello? Who’s there?

So, how did the NSO Group achieve such high performance?

Trend Micro’s vice-president explains that compared to cell phones calls which employ GSM industry-standard protocols such as CSD (Circuit Switched Data) and HSCSD (High-Speed Circuit-Switched Data), WhatsApp routes calls by using a Voice-Over-IP protocol.

Whenever a call is initiated, the app encrypts the transmission, awaiting input from the user who can accept, reject, or simply ignore the call.

NSO’s ‘viral code’ was designed to trigger the buffer overflow bug by bombarding the user with phone calls. It did not matter if the user accepted or rejected the call because the phone will still have been compromised.

Following this fake phone call, the malicious code briefly stored in the buffer would flow in the phone’s memory banks, overwriting the existing data.

After that, the person behind the attack would have had complete access to the user’s smartphone. Earlier this year, the group proved just how easy devices could be hijacked by installing the code on a phone which allowed them to take over the smartphone’s camera and microphone.

Asked about how many devices had been compromised, a WhatsApp spokesperson declared that “he doesn’t hold all the numbers, though it may be a relatively small amount of people.”

However, at the same time, WhatsApp urged all its users to update the application to the latest version, which, obviously, includes the buffer overflow fix.

What does this attack prove?

According to Brian Gleeson, the mobile product marketing manager at Check Point Software Security, the recent buffer overflow assault proves that not even big market players such as Google or Apple cannot guarantee absolute security despite their efforts.

At this point, the best approach would be a trial-and-error process. This is perhaps the only to identify and seal other points of access that could ultimately compromise the user’s safety.


Though the NSO Group claimed the attacks, some speculate that other forces may be at work here. As for the bug, according to Ferguson, this problem dates back to the early 70s and, apparently, the software that’s more prone to this type of error are those written in C and C++.

WhatsApp did indeed declare that the issue has been permanently fixed, can they indeed guarantee that all future phone calls will be safe?

Luck was on our side this time, but can we actually count on that every time we have to take an important phone call or send a message to our loved ones?

What do you think about this attack and WhatsApp’s fix?

Head to the comments section and let us know.

About Daniel Sadler

Old-school PC gamer, poetry buff, cat lover, tech wiz. His writing career began almost two decades ago when he modestly acknowledged that hindsight or, lack thereof, can compromise security. He enjoys spending quality time with his friends and family. Most of his friends refer to Daniel as a "man of a few words, but, man, what words!" His interests include cybersecurity, IT, blogging, and, of course, everything related to technology.

Leave a Reply

Your email address will not be published. Required fields are marked *