Facebook recently fixed a critical flaw in the Facebook Messenger for Android messaging app by which one can listen to other users’ surroundings without their knowledge. As per official Play Store page, it is used by nearly 1 billion users.
The amount this security researcher was paid reflects the damage that could have been made if this vulnerability had made it into the mainstream. However, there is nothing to say it was not used in the wild and used by malicious actors around the world. Patching unknown threats is a constant battle between good and evil but the longer it takes for a zero-day threat to be patched, the longer the bad actors have to profit from their findings by selling it or via extortion.
Similar to Pegasus, which is believed to have been used to target Jeff Bezos, this attack is extremely rare but it highlights the importance of patching and updating both by the developers and us as users.
This isn’t the first time we’ve seen an attack like this. Just last year, it was reported that an attacker could inject commercial spyware into a device via unanswered WhatsApp calls. Attackers will find creative ways to bypass the native security measures built into apps and devices in order to discreetly compromise the device.
This vulnerability in particular could be used to execute a highly effective spying campaign on targeted individuals. It’s a cheap and easy way to be able to eavesdrop on certain individuals. It’s another example of how attackers can leverage personal applications on mobile devices to steal corporate information. This is unique because it doesn’t require any direct interaction with the target and no malware needs to be installed.
Mobile devices are the key to productivity, so cybercriminals have been increasingly exploiting mobile vulnerabilities on outdated apps and OS versions to initiate their attack. If a user is running an out-of-date version of Facebook Messenger moving forward, they could unintentionally expose sensitive information to attackers. It’s absolutely necessary to understand what mobile apps are running on your employee\’s mobile devices, especially if you allow them to use personal devices to access corporate data. Out-of-date apps could put you out of alignment with compliance standards to cause unintentional data leakage.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics