The issue relates to a malicious video that allows hackers to access people’s messages simply by sharing the MP4 file across WhatsApp. The Facebook-owned messaging app fixed the bug earlier this week – but anyone who has not downloaded the latest update remains vulnerable to the hack.
India’s Computer Emergency Response Team (CERT-In) posted an advisory outlining the “high” severity of the threat, warning that it “could be exploited by a remote attacker” at any time.
The security agency issued the advisory after the Indian government said it is empowered to “intercept, monitor or decrypt... any information generated, transmitted, received, or stored” on the phones or devices of its citizens.
On Tuesday, Minister of State for Home Affairs Kishan Reddy cited the Information Technology Act of 2000 when justifying the state’s surveillance policy.
Earlier this month, 19 activists, journalists and politicians in India revealed that their WhatsApp accounts had been targeted. They were among 1,400 people around the world to receive a message warning that their digital communications may have been compromised.
“In May we stopped an attack where an advanced cyber actor exploited our video calling to install malware on user devices,” the message stated. “There’s a possibility this phone number was impacted, and we want to make sure you know how to keep your mobile phone secure.”
WhatsApp claims that this warning was not related to the recent discovery of the malicious video file and claimed that there is no evidence that this particular flaw has been exploited by hackers.
The messaging app says that these users were instead targeted with spyware developed by controversial Israeli technology firm NSO Group.
“WhatsApp is constantly working to improve the security of our service,” a spokesperson told The Independent.
“We make public reports on potential issues we have fixed consistent with industry best practices. In this instance, there is no reason to believe that users were impacted.”