This attack may be possible with a single call. But, from what we have heard this is quite rare / unconfirmed.
Do not uninstall WhatsApp or wipe your phone yet! Just Update the WhatsApp app and read on …
Today WhatsApp revealed that they have discovered a vulnerability in their voice call feature that was being actively exploited. This vulnerability allowed the attacker to call someone on WhatsApp and that call or calls would allow the attacker to remotely run code on the device of their victim. The victims did not need to answer the call for the attack to work. On Friday, WhatsApp added server-side security measures that currently protect users against this attack and have just released an update to WhatsApp that provides additional protections.
The below information discusses threats identified, provides the currently known indicators that will help identify if you may have been targeted, and discusses possible ways to preserve evidence in case you believe you were targeted.
HRW is not able to conduct investigations on possible attacks. But, we are communicating with WhatsApp and are willing to coordinate with WhatsApp and any external investigators they work with to ensure that evidence is shared with the community to help them identify if they were attacked, and to collect possible compromised devices for delivery to a trusted third party investigator who can identify the extent of the attacks. (We don’t have confirmation that this will be forthcoming, but we made it clear that we encourage, and are willing to support, this type of effort if WhatsApp is willing to undertake it.)
Basic Info / Disclaimer
In my professional opinion (Seamus Tuohy) this vulnerability not mean that WhatsApp is not a secure channel for communication. The vulnerability in WhatsApp allowed the attackers to attack a specific users device. It did not compromise the security of the application/infrastructure as a whole.
Based on the threat actor (NSO group) who has been associated with this attack activists and human right actors operating in the global south should take specific note of this notice.
I do not know what code this exploit was being used to run on the targeted devices. There may be other members of the community who have more information, and I am certain more information will come out in the upcoming days. But, I wanted to get this information our as quickly as possible.
What everyone should do: WhatsApp released an update to the app this evening. You should update your WhatsApp as soon as possible. Spread this recommendation widely.
How to identify if you MAY have been targeted: WhatsApp is still early in its investigation. Based on what HRW knows so far, there are some specific characteristics that MAY indicate that an individual was targeted by this attack.
If you see these indicators should follow the evidence preservation measures described below at the very least. Once you have collected evidence that can allow you to identify if you were targeted you will have to make a decision about whether you wish to wipe your device/get a new one to mitigate the risk, or to power off your device and save it for supporting possible efforts to investigate these attacks.
These indicators are written for technical rapid responders. They are not intended to be end-user guidance. I leave that up to you to translate to your communities.
Indicators that MAY show you have been targeted:
You received multiple calls on WhatsApp from an unknown number within a single day.
Your WhatsApp crashed soon after receiving those WhatsApp calls.
What to do if you think you may have been targeted:
Do not uninstall WhatsApp or wipe your phone yet!
Create a sysdiagnosis log on your iphone and save it off your phone. This will collect debugging data that MAY be useful for identifying possible compromise when we have more information.
Create a local unencrypted backup of your phone. This will contain the detailed WhatsApp call log so you can extract highly granular information about WhatsApp calls that can be used as evidence. In an effort to share this guidance as quickly as possible I won’t go into depth on how to get WhatsApp databases out of unencrypted backups here, but will happily share info on how to do this later to help folks who created an unencrypted backup.
Create a “Full” Bug Report on your Android phone (requires developer mode to be enabled). This will collect debugging data that MAY be useful for identifying possible compromise when we have more information.
Create a backup of WhatsApp calls.log on Android. (HELP: I don’t have a method for this at my fingertips. If anyone has guidance on how to do this please share with the community.)
If you think you have found an individual who is likely to have been have targeted reach out to me and I can help keep you in touch with the ongoing investigation.
If they would be willing to provide their phone to an independent trusted researcher for examination they should shut it down at this point as we figure out how/if investigations will occur. They should NOT uninstall WhatsApp or wipe their phone! If they don’t want to wait for a possible future investigation then you can advise them on how to move forward with cleaning their device of possible compromise.
 This attack may be possible with a single call. But, from what we have heard this is quite rare / unconfirmed.