On Tuesday, 14 May 2019, news broke that the messaging app WhatsApp had been hacked, allegedly by an Israeli spyware company, the NSO Group.

WhatsApp discovered the suspicious activity on its system on Friday, 10 May 2019, and began working on solutions. Apparently, the software was installed on targets’ devices using the WhatsApp voice-calling function, and even if the call was not picked up, the malware would be installed.

However, the targets of this attack were not just normal, everyday people, but a selected group, or groups, of people.

“The WhatsApp hack was based on software created by a legitimate company, ostensibly to enable governments to combat terrorism, but often used illegally to target human rights groups and activists. The latest attack was discovered as a result of an attack on a UK-based human rights group,” technology analyst Arthur Goldstuck told Daily Maverick.

“It used a vulnerability in the Voice Over Internet Protocol (VOIP) functionality of the software underlying WhatsApp to install spyware on the victim’s handset, which in turn allowed the sender to activate the device’s camera and microphone, as well as browsing other apps like Gmail,” he said.

Information and communications technology expert Toby Shapshack said the relationship between Facebook and WhatsApp could not be ignored, especially when Facebook had in the past been found to have handled people’s personal information suspiciously.

“As one of the largest messaging networks in the world, with over 1.5 billion users, WhatsApp has become a convenient way to contact and communicate with just about anyone. But it is owned by Facebook – who have proved they are not able to store personal information without exploiting it, selling it, data-mining it, and so on. I just don’t trust them. And why should I trust them with my personal messaging?” said Shapshack.

He said that even though people were aware of the security vulnerabilities of WhatsApp, it was difficult for them to migrate to safer and more secure messaging apps. This was because they had found a level of comfort on WhatsApp.

The alternatives are other messenger apps such as Telegram and Signal.

“Telegram remains one of the most secure messaging apps, since it sends device-level verification rather than network-level verification, which is susceptible to SIM-swaps and other network-based attacks and weaknesses. In other words, Telegram sends verification through the app itself rather than via SMS, as most other apps do. It is generally more secure in its internal workings as well. Signal is on a similar level to Telegram in the strength of security,” says Goldstuck.

“In the last few years, while WhatsApp was being sued by privacy watchdogs in Europe for data infringements, Telegram was sued in Russia for refusing to compromise on its users’ privacy,” added Shapshack.

Goldstuck said there was no foolproof methodology for one to protect against such threats but “generally, the best defence against malware is to keep both the operating system and all apps up to date. And never click on mysterious links sent by unknown people or on social media”. DM