WhatsApp says no one harmed by MP4 file malware, CERT-In asks users to update app

By Xite - November 19, 2019
WhatsApp has confirmed that no user was harmed by the vulnerability that allowed hackers to deploy malware via a specially modified MP4 file. It said that a patch has already been released, and CERT-I....

WhatsApp has confirmed that no user was harmed and it has fixed the vulnerability that could have allowed hackers to deploy the malware via ‘specially crafted’ MP4 file on a user’s device to steal sensitive files and use the phone for surveillance purpose. The Indian Computer Emergency Response Team (CERT-In), which is the nodal agency to deal with cyber security threats like hacking and phishing, has asked the users to update the apps to secure their data.

‘WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance, there is no reason to believe users were impacted,’ a WhatsApp spokesperson was quoted as saying. According to the advisory published by CERT-In and WhatsApp parent company Facebook Inc, the following versions of the app are vulnerable.

  • Android versions prior to 2.19.274
  • iOS versions prior to 2.19.100,
  • Enterprise Client versions prior to 2.25.3
  • Business for Android versions prior to 2.19.104
  • Business for iOS versions prior to 2.19.100
  • Windows Phone versions before and including 2.18.368

This is a Remote Code Evaluation (RCE) vulnerability that allows hackers to perform an attack remotely. The exploitation does not require any form of authentication from the victim end, which means that it executes on downloading of malicious crafted MP4 file on the victim's system. This is the second threat of this nature in two months. Last month, a similar kind of vulnerability allowed remote hackers to steal the files in Android devices using malformed GIF images.

WhatsApp is already under lens in India. The instant messaging platform confirmed last month that Pegasus spyware was used to snoop on about 1,400 Indian journalists and human rights activists in May this year. The spyware in question has been developed by the Israeli company NSO Group that ties up with governments and use the technology to fight terrorism and crime.

  • Tags
  • WhatsApp
  • Pegasus
  • CERT-In