Mobile security specialist Wandera has warned that most people have still not patched a serious WhatsApp vulnerability.

Indeed, the London-based company said that according to its data, a huge number of Apple users have yet to upgrade their version of WhatsApp. Android users have apparently responded quicker, but a majority of them are still running the unpatched WhatsApp version.

Earlier this week WhatsApp had urged all of its 1.5 billion users to update their software to fix a vulnerability that was being actively exploited to implant advanced surveillance tools on users’ devices.

Serious flaw

The Facebook-owned company had released the fix last weekend after discovering the vulnerability earlier this month.

The bug was used to implant spyware developed by Israeli developer NSO Group, whose surveillance tools are intended for use by governments and law enforcement agencies.

When attackers rang up a target’s phone, the malicious code would automatically infect the device even if the call was not answered, WhatsApp said in a technical document on the issue.

The attack involved a buffer overflow vulnerability in WhatsApp’s voice over internet protocol (VoIP) stack that allowed remote code execution via a series of specially crafted secure real-time control protocol (SRTCP) packets, WhatsApp said.

But sadly despite the seriousness of the vulnerability, WhatsApp users have been remarkable slow at updating.

Upgrade immediately

According to an analysis (on Thursday 16 May) of the percentage of devices across Wandera’s global customer base that have the upgraded version of WhatsApp, a clear majority are unfortunately still using the vulnerable version.

Wandera said that its data showed that only 19.8 percent of iOS device users are currently on the upgraded version.

A staggering 80.2 percent of iOS users are still using the old vulnerable version of WhatsApp.

There was slightly better (but not much) news on the Android front, where 44.6 percent of users are using the upgraded version.

That leaves 55.4 percent of Android users still vulnerable because they have not upgraded WhatsApp yet.

There is no reason for users not to upgrade. The patched version of WhatsApp for Android was released on Friday 10 May, while for iOS, it was made available on Monday 13 May.

Never secure

It is important to remember that unpatched versions of WhatsApp will remain unsecure until the patch is applied, despite the fact that the messaging platform switched on end-to-end encryption in 2016 for all its products.

Android users had encryption since 2014.

But at least one rival used to the fallout from the security scare to claim that WhatsApp has never been secure as a platform.

Russian entrepreneur and Telegram founder Pavel Durov wrote a blog this week entitled ‘Why WhatsApp will never be secure‘, in which he laid out the reasons he was not surprised by the WhatsApp scare.

“The world seems to be shocked by the news that WhatsApp turned any phone into spyware,” wrote Durov. “This news didn’t surprise me though. Last year WhatsApp had to admit they had a very similar issue – a single video call via WhatsApp was all a hacker needed to get access to your phone’s entire data.”

“Every time WhatsApp has to fix a critical vulnerability in their app, a new one seems to appear in its place,” he alleged. “All of their security issues are conveniently suitable for surveillance, and look and work a lot like backdoors.”

“Unlike Telegram, WhatsApp is not open source, so there’s no way for a security researcher to easily check whether there are backdoors in its code,” he wrote. “Not only does WhatsApp not publish its code, they do the exact opposite.”

“WhatsApp has a consistent history – from zero encryption at its inception to a succession of security issues strangely suitable for surveillance purposes,” he wrote. “Looking back, there hasn’t been a single day in WhatsApp’s 10 year journey when this service was secure.”

In 2017 WhatsApp was forced to deny it had a backdoor in the messaging platform, when Tobias Belter, a security researcher at the University of California, Berkeley, alleged that WhatsApp could reissue encryption keys for offline devices, compromising privacy.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

4 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

7 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

8 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

9 hours ago