Google just unsealed information about an apparently exploitable bug in WhatsApp that could have allowed a malevolent caller to take over your device.
Just answering a call could have been enough to land you in trouble.
Project Zero researcher Natalie Silvanovich found a buffer overflow that could be triggered by data transmitted as part of the audio and video stream during a call.
WhatsApp, along with many other online calling apps, uses RTP, short for Real Time Protocol, for transmitting voice and video.
RTP was designed to be efficient – for example, it uses UDP instead of TCP, so that data arrives faster but less reliably. (UDP packets aren’t checked to see if they made it to the other end, and can arrive in a mixed-up order; TCP packets are verified and delivered in the order they were sent, which means more network overhead.)
If you lose some data packets from an app you are downloading, the entire download will be corrupted and useless; if you drop occasional voice packets, you’ll just have some inaudible moments in the call.
Unfortunately, RTP also squeezes its data into a binary packet format that needs careful unravelling at the other end to work out what sort of data was sent, how to deconstruct it, and how much data to expect.