WhatsApp Spyware Pegasus Exploit Audit

Find Mobile Devices That Have a Vulnerable Whatsapp Version

The audit checks whether the mobile application's version is different from the recommended version on the day the vulnerability was disclosed. Vulnerable devices will be marked in red while devices with an up-to-date application will be shown in green. The report can be modified for future use too by adjusting the version numbering if checks for. You can find more information about this vulnerability in the Pegasus spyware blog post.

 

Click to Open - WhatsApp Spyware Pegasus Query
Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tsysAssetTypes.AssetTypeIcon10 As icon,
  tblADusers.Username,
  tsysAssetTypes.AssetTypename As AssetType,
  tblIntuneDevice.Manufacturer,
  tblIntuneDevice.Model,
  tblIntuneDevice.OperatingSystem As OS,
  tblIntuneDevice.OsVersion,
  tblIntuneApplication.DisplayName,
  tblIntuneApplication.Version,
  Case
when tblIntuneDevice.OperatingSystem Like '%iOS%' AND tblIntuneApplication.DisplayName = 'Whatsapp' AND
tblIntuneApplication.Version NOT LIKE '2.19.51%' then 'Vulnerable'
when tblIntuneDevice.OperatingSystem Like '%iOS%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%Business%' AND
tblIntuneApplication.Version NOT LIKE '2.19.51%' then 'Vulnerable'
 
when tblIntuneDevice.OperatingSystem Like '%Android%' AND tblIntuneApplication.DisplayName = 'Whatsapp' AND
tblIntuneApplication.Version <> '2.19.134' then 'Vulnerable'
when tblIntuneDevice.OperatingSystem Like '%Android%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%Business%' AND
tblIntuneApplication.Version <> '2.19.44' then 'Vulnerable'
 
when tblIntuneDevice.OperatingSystem Like '%Windows%' AND tblIntuneApplication.DisplayName = '%Whatsapp%' AND
tblIntuneApplication.Version <> '2.18.348' then 'Vulnerable'
when tblIntuneDevice.OperatingSystem Like '%Tizen%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%' AND
tblIntuneApplication.Version <> '2.18.15' then 'Vulnerable'
    Else 'Safe'
  End As [Vulnerable/Safe],
  tblIntuneDevice.SubscriberCarrier,
  tblIntuneDevice.Imei,
  tblIntuneDevice.SerialNumber,
  tblIntuneDevice.EnrolledDateTime,
  tblIntuneDevice.LastSyncDateTime,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
Case
when tblIntuneDevice.OperatingSystem Like '%iOS%' AND tblIntuneApplication.DisplayName = 'Whatsapp' AND
tblIntuneApplication.Version NOT LIKE '2.19.51%' then '#ffadad'
when tblIntuneDevice.OperatingSystem Like '%iOS%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%Business%' AND
tblIntuneApplication.Version NOT LIKE '2.19.51%' then '#ffadad'
 
when tblIntuneDevice.OperatingSystem Like '%Android%' AND tblIntuneApplication.DisplayName = 'Whatsapp' AND
tblIntuneApplication.Version <> '2.19.134' then '#ffadad'
when tblIntuneDevice.OperatingSystem Like '%Android%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%Business%' AND
tblIntuneApplication.Version <> '2.19.44' then '#ffadad'
 
when tblIntuneDevice.OperatingSystem Like '%Windows%' AND tblIntuneApplication.DisplayName = '%Whatsapp%' AND
tblIntuneApplication.Version <> '2.18.348' then '#ffadad'
when tblIntuneDevice.OperatingSystem Like '%Tizen%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%' AND
tblIntuneApplication.Version <> '2.18.15' then '#ffadad'
    Else '#d4f4be'
  End As backgroundcolor
From tblAssets
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tblAssetCustom On tblAssetCustom.AssetID = tblAssets.AssetID
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Inner Join tblIntuneDevice On tblIntuneDevice.AssetId = tblAssets.AssetID
  Left Join tblADusers On Lower(tblIntuneDevice.EmailAddress) In
    (Lower(tblADusers.email), Lower(tblADusers.UPN))
  Inner Join tblIntuneDeviceApplication On tblIntuneDevice.Id =
    tblIntuneDeviceApplication.IntuneDeviceId
  Inner Join tblIntuneApplication On tblIntuneApplication.Id =
    tblIntuneDeviceApplication.IntuneApplicationId
Where tblIntuneApplication.DisplayName Like '%Whatsapp%' And
  tblState.Statename = 'Active'
Order By tblAssets.AssetName

Audit and Take Action in 3 Easy Steps

Download-Install-Lansweeper

1. Download & Install Lansweeper

Save-and-Run-the-Report

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit

Harness the Power of Reporting