WhatsApp has shared details of a critical “security flaw” affecting its Android app that could allow attackers to remotely plant malware on users’ phones during video calls.
The messaging app mentioned details of a critical vulnerability known as CVE-2022-36934 with a severity rating of 9.8 out of 10, which WhatsApp described as an integer overflow bug.
According to The Verge , the critical flaw would allow an attacker to exploit a code flaw known as integer overflow to run custom code on a victim’s smartphone after sending a specially crafted video call.
Remote code execution vulnerabilities are a key step in installing malware, spyware, or other malicious applications on a target system because they give attackers room to further compromise the computer using techniques such as privilege escalation attacks.
The vulnerability is similar to a 2019 bug where WhatsApp accused Israeli spyware maker NSO Group of targeting the phones of 1,400 victims, including journalists, human rights defenders and other civilians.
At the time, the attack exploited a bug in WhatsApp’s audio calling feature that allowed the caller to plant spyware on the victim’s device regardless of whether the call was picked up or not.
In the same security update, WhatsApp also released details of another vulnerability this week, CVE-2022-27492. The flaw was rated “high” in terms of severity at 7.8 out of 10, which would allow attackers to run code after sending a malicious video file.
According to The Verge, both of these vulnerabilities are fixed in recently updated versions of WhatsApp and should already be fixed in any installation of the app that is set to update automatically.