Mobile security specialist Wandera has warned that most people have still not patched a serious WhatsApp vulnerability.
Indeed, the London-based company said that according to its data, a huge number of Apple users have yet to upgrade their version of WhatsApp. Android users have apparently responded quicker, but a majority of them are still running the unpatched WhatsApp version.
Earlier this week WhatsApp had urged all of its 1.5 billion users to update their software to fix a vulnerability that was being actively exploited to implant advanced surveillance tools on users’ devices.
The Facebook-owned company had released the fix last weekend after discovering the vulnerability earlier this month.
The bug was used to implant spyware developed by Israeli developer NSO Group, whose surveillance tools are intended for use by governments and law enforcement agencies.
When attackers rang up a target’s phone, the malicious code would automatically infect the device even if the call was not answered, WhatsApp said in a technical document on the issue.
The attack involved a buffer overflow vulnerability in WhatsApp’s voice over internet protocol (VoIP) stack that allowed remote code execution via a series of specially crafted secure real-time control protocol (SRTCP) packets, WhatsApp said.
But sadly despite the seriousness of the vulnerability, WhatsApp users have been remarkable slow at updating.
According to an analysis (on Thursday 16 May) of the percentage of devices across Wandera’s global customer base that have the upgraded version of WhatsApp, a clear majority are unfortunately still using the vulnerable version.
Wandera said that its data showed that only 19.8 percent of iOS device users are currently on the upgraded version.
A staggering 80.2 percent of iOS users are still using the old vulnerable version of WhatsApp.
There was slightly better (but not much) news on the Android front, where 44.6 percent of users are using the upgraded version.
That leaves 55.4 percent of Android users still vulnerable because they have not upgraded WhatsApp yet.
There is no reason for users not to upgrade. The patched version of WhatsApp for Android was released on Friday 10 May, while for iOS, it was made available on Monday 13 May.
It is important to remember that unpatched versions of WhatsApp will remain unsecure until the patch is applied, despite the fact that the messaging platform switched on end-to-end encryption in 2016 for all its products.
Android users had encryption since 2014.
But at least one rival used to the fallout from the security scare to claim that WhatsApp has never been secure as a platform.
Russian entrepreneur and Telegram founder Pavel Durov wrote a blog this week entitled ‘Why WhatsApp will never be secure‘, in which he laid out the reasons he was not surprised by the WhatsApp scare.
“The world seems to be shocked by the news that WhatsApp turned any phone into spyware,” wrote Durov. “This news didn’t surprise me though. Last year WhatsApp had to admit they had a very similar issue – a single video call via WhatsApp was all a hacker needed to get access to your phone’s entire data.”
“Every time WhatsApp has to fix a critical vulnerability in their app, a new one seems to appear in its place,” he alleged. “All of their security issues are conveniently suitable for surveillance, and look and work a lot like backdoors.”
“Unlike Telegram, WhatsApp is not open source, so there’s no way for a security researcher to easily check whether there are backdoors in its code,” he wrote. “Not only does WhatsApp not publish its code, they do the exact opposite.”
“WhatsApp has a consistent history – from zero encryption at its inception to a succession of security issues strangely suitable for surveillance purposes,” he wrote. “Looking back, there hasn’t been a single day in WhatsApp’s 10 year journey when this service was secure.”
In 2017 WhatsApp was forced to deny it had a backdoor in the messaging platform, when Tobias Belter, a security researcher at the University of California, Berkeley, alleged that WhatsApp could reissue encryption keys for offline devices, compromising privacy.
Do you know all about security? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…