Newly identified remote exploit exposes WhatsApp private user data

Updated October 8, 2019: A new vulnerability discovered in WhatsApp allows hackers to infect Android devices with malware by sending a malicious GIF file. The malware, known as a double-free vulnerability, is only activated if a user opens the malicious GIF in WhatsApp. Once a user opens the GIF file, a hacker can steal files on their device and access their chat history. This vulnerability affects devices running Android 8.1 and Android 9. 

How to avoid it: Android users should immediately update to the most recent version of WhatsApp, released on October 3. 

This is not the first major WhatsApp vulnerability to make headlines this year. In May, a major vulnerability was uncovered that allowed attackers to install spyware on devices simply by making a WhatsApp call. Through that vulnerability, which was then remedied with app updates for iOS and Android, attackers could access a substantial amount of data on an infected device, as well as control the camera and microphone. 

While this most recent vulnerability is limited to Android, it is always recommended that users on either Android or iOS keep their apps and operating systems as up to date as possible to ensure they have the latest security patches installed.

Continue reading for our report on the previous WhatsApp vulnerability below.

May 2019: A vulnerability recently discovered in Facebook’s popular messaging service, WhatsApp, allows attackers to install spyware on a device simply by making a WhatsApp call. The spyware, known as Pegasus, was created by the NSO Group and it gives attackers access to a substantial amount of data on an infected device, as well as control of the camera and microphone. Beyond updating the app to remedy this issue, how can businesses brace themselves for the next big mobile vulnerability?

The recent WhatsApp vulnerability is alarmingly simple on the surface: it allows an attacker to install spyware on a device by making a WhatsApp call, and the victim does not even need to answer the call. Once installed, this spyware can:

  • Turn on a phone’s camera and microphone
  • Scan emails and messages
  • Collect a user’s GPS location data

According to Wandera’s VP of Engineering, Mike Campin, this new type of attack is deeply worrying, given WhatsApp’s global popularity among more than 1.5 billion users.

“While WhatsApp is not typically used as an official corporate messaging application, it is used widely internationally on employees’ personal devices as well as on corporate-issued devices,” Campin said. “And once exploited via this new attack, the attacker has complete control and visibility of all data on the phone.”

Woman passenger using mobile phone in airport

Fixes were rolled out in the form of app updates through the Apple App Store and Google Play store, the story received ample press coverage, and Wandera informed its clients of the vulnerability along with steps to remedy it.

However, an analysis by our threat research team showed that numerous devices across our global customer portfolio were still running vulnerable versions of WhatsApp several weeks after the vulnerability was discovered.

As Campin noted, this vulnerability poses a real threat to mobile-enabled enterprises since most internet use today is on mobile devices.

This raises an intriguing question: why have so many businesses been slow in addressing this issue?

The bigger picture

While this vulnerability has attracted much attention recently, it is only the latest reminder that IT teams and users alike need to stay vigilant when it comes to mobile threats.

“Bear in mind that this isn’t the first time WhatsApp’s security has been brought into question,” Campin said. “We’ve seen recent incidents of ‘whishing’ – phishing messages over WhatsApp – that have been launched to dupe users. WhatsApp’s ‘end-to-end-encryption’ badge certainly shouldn’t be mistaken as a guarantee that communications are secure.”

New mobile vulnerabilities come to light so frequently that security teams cannot wait for developers to fix each issue. By the time a vulnerability is discovered and remedied, hackers have often had a substantial window to carry out attacks and exfiltrate corporate data.

WhatsApp is generally viewed as a ‘safer’ platform because it utilizes encrypted messaging, but as this recent case shows, this is not a fail-safe solution. In reality, no solution is 100 percent fail-safe, but there are proactive steps businesses can take to mitigate risks and keep their users and information secure.

Mitigating risks:

  • Educate and communicate with end users the proper ways of using mobile devices for business purposes, including the importance of keeping operating systems and apps updated as well as general best security practices.
  • Use a mobile threat defense (MTD) solution to protect devices and networks from known malware threats and social engineering attacks.
  • Revisit your company policy on which apps your employees can use for work-related purposes, and limit the use of non-essential apps on corporate devices. Ultimately, discovering vulnerabilities and patching them is like an arms race between developers and attackers—the fewer non-essential apps on corporate devices, the lower the risk that one of them will have vulnerabilities that have been discovered by hackers but not yet patched.

The WhatsApp Remedy

In addition to bracing for the next big vulnerability, this WhatsApp vulnerability still poses a major risk for businesses with users who have outdated versions of the app installed on devices they use for work-related purposes.

Wandera automatically identifies and flags any devices that have a vulnerable, outdated version of WhatsApp installed. For companies that want to address this issue, below are some suggested steps to remedy this vulnerability and secure your users and data, as well as long-term takeaways to prepare for future scenarios like this.

What IT teams need to do right now

  • Take inventory of how many of your users currently have an outdated version of WhatsApp installed on their devices to assess potential vulnerabilities (for Wandera customers, this can be done through Wandera’s RADAR portal by accessing App Insights in the Security tab, searching for WhatsApp, and then clicking on ‘Detailed View.’ This will show which versions of WhatsApp are installed on your devices).
  • Instruct your staff to install the latest versions of WhatsApp from Apple’s App Store and Google Play (if you manage your mobile devices using an EMM or UEM, you should be able to use that solution to update the app on all managed devices. We strongly advise against using WhatsApp versions obtained from unofficial app sources).
  • Ensure malicious network blocks are turned on to ensure that command and control and data exfiltration traffic is blocked (for Wandera customers, this can be done through the RADAR portal by accessing Policy > Security Policy in the left-hand menu).



Mais do que uma solução tecnológica, somos uma decisão estratégica para as organizações.

Nossa missão é redefinir a relação das empresas com a cibersegurança e a experiência dos usuários no processo de autenticação e acesso a ativos tecnológicos.