CVE-2019-3568

Name of the Vulnerable Software and Affected Versions WhatsApp for Android versions 2.19.134 and earlier WhatsApp Business for Android versions 2.19.44 and earlier WhatsApp for iOS versions 2.19.51 and earlier WhatsApp Business for iOS versions 2.19.51 and earlier WhatsApp for Windows Phone versions 2.18.348 and earlier WhatsApp for Tizen versions 2.18.15 and earlier

Description A buffer overflow vulnerability in the WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue was exploited to deliver Pegasus malware surreptitiously. It is estimated that about 1,400 devices were targeted, with users in 51 countries affected, including 456 in Mexico, 100 in India, 82 in Bahrain, 69 in Morocco, and 58 in Pakistan. The vulnerability was used to install spyware on targeted phones just by calling them, with no user interaction required.

Recommendations For WhatsApp for Android versions 2.19.134 and earlier, update to version 2.19.134 or later. For WhatsApp Business for Android versions 2.19.44 and earlier, update to version 2.19.44 or later. For WhatsApp for iOS versions 2.19.51 and earlier, update to version 2.19.51 or later. For WhatsApp Business for iOS versions 2.19.51 and earlier, update to version 2.19.51 or later. For WhatsApp for Windows Phone versions 2.18.348 and earlier, update to version 2.18.348 or later. For WhatsApp for Tizen versions 2.18.15 and earlier, update to version 2.18.15 or later.