iOS WhatsApp users should make sure their app is up to date following a dangerous security attack. The technique is particularly effective but fortunately seems to be highly targeted so far.

It's been described as a zero-click attack, meaning a phone could be comprised simply by a user receiving a message. That's different to most messaging-based attacks which require a user to open an attachment or image, or to click on a link.

The issue affects the Mac, iPhone and iPad apps for WhatsApp and is the result of a particularly unfortunate combination of two vulnerabilities. One is with WhatsApp itself and is described as "incomplete authorization of linked device synchronization messages." The other bug is with Apple's operating systems and is an "out of bounds" attack involving image handling. (Source: infosecurity-magazine.com)

Malware In Disguise

Attackers who have spotted and exploited this combination appeared able to get phones to receive what appears to be an image without the usual security checks on the sender. The image, which may actually be a JavaScript web page in turn accesses parts of the device memory that should normally be off limits. This could allow malware that finds and retrieves personal information.

The good news, for the general public at least, is that the known exploits of the attack have been highly targeted at specific individuals. A security chief at Amnesty International says it's likely a commercial spyware campaign, which indicates somebody attempting to access personal information and online activity of a political opponent. (Source: phonearena.com)

Updates Critical

It's likely that finding the particular combination of bugs and how they worked together involved some sophisticated and well-resourced analysis. Now the attack has been made public, other criminals may try to take advantage more widely.

Both bugs have now been fixed but will require updates. The Apple operating system fix should update automatically. Most WhatsApp users will get an automated update unless the user has opted out. The easiest way to check for updates is by visiting the App Store on the device, tapping the icon of the user's picture (or a generic head and body), and scrolling down to see apps which have an update available.

What's Your Opinion?

Do you use the WhatsApp app? Do you have automatic updates applied for all your apps? Are you personally worried about hostile nations carrying out targeted surveillance attacks?