Find Mobile Devices That Have a Vulnerable Whatsapp Version
The audit checks whether the mobile application’s version is different from the recommended version on the day the vulnerability was disclosed. Vulnerable devices will be marked in red while devices with an up-to-date application will be shown in green. The report can be modified for future use too by adjusting the version numbering if checks for. You can find more information about this vulnerability in the Pegasus spyware blog post.
WhatsApp Spyware Pegasus Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblADusers.Username,
tsysAssetTypes.AssetTypename As AssetType,
tblIntuneDevice.Manufacturer,
tblIntuneDevice.Model,
tblIntuneDevice.OperatingSystem As OS,
tblIntuneDevice.OsVersion,
tblIntuneApplication.DisplayName,
tblIntuneApplication.Version,
Case
when tblIntuneDevice.OperatingSystem Like '%iOS%' AND tblIntuneApplication.DisplayName = 'Whatsapp' AND
tblIntuneApplication.Version NOT LIKE '2.19.51%' then 'Vulnerable'
when tblIntuneDevice.OperatingSystem Like '%iOS%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%Business%' AND
tblIntuneApplication.Version NOT LIKE '2.19.51%' then 'Vulnerable'
when tblIntuneDevice.OperatingSystem Like '%Android%' AND tblIntuneApplication.DisplayName = 'Whatsapp' AND
tblIntuneApplication.Version <> '2.19.134' then 'Vulnerable'
when tblIntuneDevice.OperatingSystem Like '%Android%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%Business%' AND
tblIntuneApplication.Version <> '2.19.44' then 'Vulnerable'
when tblIntuneDevice.OperatingSystem Like '%Windows%' AND tblIntuneApplication.DisplayName = '%Whatsapp%' AND
tblIntuneApplication.Version <> '2.18.348' then 'Vulnerable'
when tblIntuneDevice.OperatingSystem Like '%Tizen%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%' AND
tblIntuneApplication.Version <> '2.18.15' then 'Vulnerable'
Else 'Safe'
End As [Vulnerable/Safe],
tblIntuneDevice.SubscriberCarrier,
tblIntuneDevice.Imei,
tblIntuneDevice.SerialNumber,
tblIntuneDevice.EnrolledDateTime,
tblIntuneDevice.LastSyncDateTime,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
when tblIntuneDevice.OperatingSystem Like '%iOS%' AND tblIntuneApplication.DisplayName = 'Whatsapp' AND
tblIntuneApplication.Version NOT LIKE '2.19.51%' then '#ffadad'
when tblIntuneDevice.OperatingSystem Like '%iOS%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%Business%' AND
tblIntuneApplication.Version NOT LIKE '2.19.51%' then '#ffadad'
when tblIntuneDevice.OperatingSystem Like '%Android%' AND tblIntuneApplication.DisplayName = 'Whatsapp' AND
tblIntuneApplication.Version <> '2.19.134' then '#ffadad'
when tblIntuneDevice.OperatingSystem Like '%Android%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%Business%' AND
tblIntuneApplication.Version <> '2.19.44' then '#ffadad'
when tblIntuneDevice.OperatingSystem Like '%Windows%' AND tblIntuneApplication.DisplayName = '%Whatsapp%' AND
tblIntuneApplication.Version <> '2.18.348' then '#ffadad'
when tblIntuneDevice.OperatingSystem Like '%Tizen%' AND tblIntuneApplication.DisplayName Like '%Whatsapp%' AND
tblIntuneApplication.Version <> '2.18.15' then '#ffadad'
Else '#d4f4be'
End As backgroundcolor
From tblAssets
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblAssetCustom On tblAssetCustom.AssetID = tblAssets.AssetID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblIntuneDevice On tblIntuneDevice.AssetId = tblAssets.AssetID
Left Join tblADusers On Lower(tblIntuneDevice.EmailAddress) In
(Lower(tblADusers.email), Lower(tblADusers.UPN))
Inner Join tblIntuneDeviceApplication On tblIntuneDevice.Id =
tblIntuneDeviceApplication.IntuneDeviceId
Inner Join tblIntuneApplication On tblIntuneApplication.Id =
tblIntuneDeviceApplication.IntuneApplicationId
Where tblIntuneApplication.DisplayName Like '%Whatsapp%' And
tblState.Statename = 'Active'
Order By tblAssets.AssetName
