ngCERT-2019-0010: ngCERT Advisory on WhatsApp zero-day vulnerability
Apple iOSAndroid OS
Advisory ID
Published Date
Tuesday 14th, May 2019
Facebook patched a flaw on critical zero-day vulnerability in WhatsApp that can and has been exploited to remotely install spyware on phones by calling the targeted device. The vulnerability has been exploited to deliver spyware made by Israel-based NSO Group, a controversial company whose products have been used to spy on user’s activities. The flaw has been described by Facebook as a buffer overflow in the WhatsApp VOIP stack. The security hole allows an attacker to remotely execute arbitrary code by sending specially crafted SRTCP packets to the targeted phone number.
Description and Consequences

WhatsApp discovered what it described as abnormal voice calling activity on their systems. Digital attackers could use the vulnerability to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call.   It was also reported that exploitation involves calling the targeted device via WhatsApp, but the victim does not need to answer the call for the vulnerability to be triggered, and the incoming calls are said to have disappeared from logs.


WhatsApp encourages people to upgrade to the latest version of the app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.