Very interested to know what this means in practice, particularly for iOS.
AFAIK, there's no permissions which allow you to read SMS messages, take screenshots (unless jailbroken), access photos in the background, access the camera in the background etc etc
Does this just spy on the users Whatsapp activity, or spy on the user in a broader way?
How could the API's whatsapp does have access to be abused?
The app is infected, calls a 0-day using an illegal parameter that’s normally rejected by app store filters, and gains a permanent beachhead in your Android system services list.
> access photos in the background
Unclear. Apps can show thumbnail galleries of your photos within their native UI, so it may well be possible for them to continue directly to reading photos.
> access the camera in the background
Unclear. Does FaceTime continue transmitting video when the phone screen is turned off? Is it possible to capture stills or video when the screen is off on a jailbroken phone?
> or spy on the user in a broader way
Android WhatsApp seeks permission to read your SMSes, so that would be almost certainly correct as well there.
There's no possible way to read SMS messages programatically in iOS for example, the closest you get is reading one time passwords sent, and you can only do that when the user has the keyboard open when the SMS is received.
I know Android is slightly more lax in this (and some other) regards. I wonder if Android whatsapp users targeted by this exploit have had more data exposed than iOS users targeted by the same exploit?
AFAIK, there's no permissions which allow you to read SMS messages, take screenshots (unless jailbroken), access photos in the background, access the camera in the background etc etc
Does this just spy on the users Whatsapp activity, or spy on the user in a broader way?
How could the API's whatsapp does have access to be abused?