WhatsApp has shared details of a critical “security bug” affecting its Android app that could allow attackers to remotely plant malware on users’ phones during video calls.
The messaging app mentioned the details of a critical vulnerability, known as CVE-2022-36934 with a severity rating of 9.8 out of 10, described by WhatsApp as an integer overflow bug.
According to The Verge, the critical bug would allow an attacker to exploit a code error known as an integer overflow, letting them execute their own code on a victim’s smartphone after sending a specially crafted video call.
Remote code execution vulnerabilities are a key step in installing malware, spyware, or other malicious applications on a target system, as they give attackers a foot in the door that can be used to further compromise the machine using techniques like privilege escalation attacks.
The vulnerability is similar to a 2019 bug, wherein WhatsApp blamed on Israeli spyware maker NSO Group to target 1,400 victims’ phones, including journalists, human rights defenders, and other civilians.
At that time, the attack leveraged a bug in WhatsApp’s audio calling feature that allowed the caller to plant spyware on a victim’s device, regardless of whether the call was picked or not.
In the same security advisory update, WhatsApp also disclosed this week details of another vulnerability, CVE-2022-27492. The bug has been rated “high” in severity at 7.8 out of 10 which would let attackers execute code after sending a malicious video file.
As per The Verge, both of these vulnerabilities are patched in recently updated versions of WhatsApp and should already be fixed in any installation of the app that is set to automatically update.
Download The Mint News App to get Daily Market Updates & Live Business News.
More
Less
