WhatsApp has released a security update to patch two major vulnerabilities that were being actively exploited to install spyware on Apple devices, including iPhones and Macs. What makes these flaws so concerning is that attackers did not need the victim to do anything at all. The spyware could be placed remotely, without a single tap or click. Security researchers refer to this as a “zero-click” exploit, one of the most dangerous types because the victim may never know their device has been compromised.
Key Takeaways
- WhatsApp has fixed two critical zero-day vulnerabilities.
- Attackers could install spyware either during a video call or by sending a malicious video file.
- These were zero-click attacks, meaning no user interaction was required.
- Users of Apple’s iOS and macOS were directly affected.
- All users are strongly advised to update WhatsApp immediately.
The first vulnerability, CVE-2022-36934, was identified as an integer overflow bug. This occurs when a program tries to process a number too large for its allocated memory, which can cause the app to crash or allow attackers to run their own code. In this case, it could be exploited during an active video call, giving attackers direct access to the device.
The second flaw, CVE-2022-27492, was an integer underflow, a related type of memory-handling error. Hackers could use it by sending a specially crafted malicious video file. Even if the user never played the video, the spyware could still be installed silently in the background.
Both of these issues fall into the category of zero-day vulnerabilities. This means they were discovered and exploited by attackers before WhatsApp had the opportunity to address them. These types of exploits are often linked to highly advanced, state-sponsored groups because they are so difficult to detect or stop once deployed.
WhatsApp, owned by Meta, has now released updated versions of the app to close these security gaps. The company has urged all users worldwide, including the more than 400 million in India, to check their version and update as soon as possible. For iPhone users, the secure version is WhatsApp for iOS v2.22.16.12, which can be downloaded through the Apple App Store.
Frequently Asked Questions (FAQs)
Q. What does a zero-click attack?
A. A zero-click attack is a type of cyberattack where a device can be infected with malware or spyware without the user having to do anything, like clicking a link or downloading a file. These attacks exploit vulnerabilities in apps and operating systems.
Q. Which versions of WhatsApp are safe?
A. WhatsApp for iOS version 2.22.16.12 and later versions are patched and safe from this specific vulnerability. You should always keep your app updated to the latest version available on the App Store.
Q. How do I update my WhatsApp on iPhone?
A. Open the App Store on your iPhone, tap on your profile picture at the top right, and scroll down to see pending updates. Find WhatsApp in the list and tap “Update.”
Q. How do I know if my phone was hacked?
A. It is very difficult for an average user to know if they were targeted by a zero-click attack. The best course of action is to always keep your phone’s operating system and all your apps, especially messaging apps like WhatsApp, fully updated.
Q. Who was behind this attack?
A. WhatsApp has not publicly attributed this attack to any specific group. However, similar zero-click vulnerabilities in the past have been linked to private companies that create and sell surveillance tools to government agencies.
