- Whatsapp vulnerability used to deploy graphite
- Graphite is commercial spy software built by paragon Israeli developers
- About 90 people were targeted, Whatsapp said
WhatsApp says he has corrected a zero day vulnerability that was used by nation states to spy on journalists, dissidents, political opponents and others.
After being triggered by Citizen Lab security researchers, WhatsApp approached a bug that allowed threat stakeholders to deploy Graphite, a sophisticated spy software tool developed by the Israeli company Paragon Solutions.
The graphite was deployed in a “zero click” attack, which means that no interaction of the victim was required.
Protect your Android phone
“WhatsApp has disrupted a paragon spy software campaign that targeted a number of users, including journalists and civil society members. We have contacted people who, in our view, have been affected,” said a WhatsApp spokesman Bleeping Compompute.
“This is the latest example of the reason why spy software companies must be held responsible for their illegal actions. WhatsApp will continue to protect people’s ability to communicate in private.”
A CVE has not been attributed to vulnerability.
WhatsApp also said that he had informed some 90 people, located in more than two dozen countries, including Italian journalists and activists.
In theory, the attack was very simple. After obtaining the phone numbers from their target, threat actors would add them to a WhatsApp group, before sending an armed PDF. Since the device automatically treats PDF files, the termination point is compromised without any user action. The next step is to escape Android sandbox and install spy software, which grant attackers access to the device’s messaging applications.
Citizen Lab analyzed the graphite infrastructure and found “potential links with several government customers”, notably Australia, Canada, Cyprus, Denmark, Israel and Singapore.
Governments in Europe and the United States have been quite vocal in their opposition to business spy software. In February 2022, the European Data Protection Supervisor (EDPS) recommended prohibiting the use of PEGASUS spy software in the EU, citing concerns about fundamental rights and freedoms. The PEGASUS developer team, NGO Group, was put on black list in the United States on November 3, 2021.
