According to reports, the devices could have been infected even without users picking up the hacker's call.
Matthew Hickey, a security researcher and co-founder of the cybersecurity firm Hacker House has told Sputnik about possible ways to solve the problem.
Matthew Hickey: WhatsApp and Mobile Messaging applications today are just as vulnerable to computer exploits today as desktop computers were in the past. The recently reported spying utility KARMA operated by former US NSA intelligence contractors in the Middle East reportedly used similar exploits to the WhatsApp issue.
These exploits are often used to obtain sensitive information for espionage purposes. Google Project Zero extensively audited the WhatsApp code and shared its findings. Independent researchers looked as well. Despite these efforts, occasionally vulnerabilities like the announced WhatsApp flaw surface.
Sputnik: Is there a possibility that the upgrade won't help?
Matthew Hickey: The WhatsApp upgrade will certainly prevent exploitation of this known flaw, however, how many of us really inspect devices for other signs of attacks? Kaspersky is one of the few mobile vendors who worked recently with the EFF to enhance spyware detection capabilities. This was a milestone as many vendors are simply not even looking for spyware of this nature and much of it goes undetected.
It is important to understand that although you are protecting against this one vulnerability, what happens if one of your other applications is attacked? Do you regularly sweep your smartphone with anti-virus tools?
Sputnik: It took time to detect the spyware, what kind of programme it is?
Matthew Hickey: Valuable exploit information of this nature is used sparingly and in situations where detection is not likely to be noticed, many such tools are sold with unique requirements that prohibit distribution or use in specific ways — this means an attack of this nature could be seen as expensive for an individual but cheap for a global corporation.
This attack is one that was detected that was still being exploited in the wild — this shows that perhaps the persons responsible for it were not selective enough in their application. It is rare for a remote code execution attack that impacted mobile devices to publicly be disclosed, however dozens of attacks occur in the wild each year and the nature of data targeted by attackers continues to become ever more personal.
Sputnik: WhatsApp has alerted US law enforcement to the exploit, and published a "CVE notice" to other cybersecurity experts alerting them to "common vulnerabilities and exposures". What steps by the government do you expect?
Matthew Hickey: WhatsApp alerting US law enforcement and publishing CVE details will help other vendors and software companies understand the risks and lessons learned during this incident. Government action should also be to investigate the widespread usage of mobile applications that they depend upon.
The French government created a private network for ministers that was breached on the first day, so it's important that globally we understand that the threats are advanced.
Sputnik: What can you say about NSO Group, involved in several scandals of this kind recently?
In the wrong hands a WhatsApp vulnerability like the one disclosed today could have been used in a more global incident like WannaCry, but impacting us all much more personally. It's important that you ensure patches are applied and consider using security solutions to safeguard all your personal data.
Views and opinions, expressed in the article are those of Matthew Hickey and do not necessarily reflect those of Sputnik.
The views and opinions expressed in the article do not necessarily reflect those of Sputnik.