WhatsApp has gone from a newcomer on the messaging scene to the biggest name in the business, and with that increase in size has come a big jump in the number of people looking to take advantage of the app’s users. If you use WhatsApp, there are a lot of threats out there that you should know about – here are a few of the big ones.
Now that you can use WhatsApp via a web interface, there are people out there distributing bad download links that look like real WhatsApp clients, but will saddle you with a bunch of malware. Kaspersky Labs found a number of these suspicious downloads in a variety of languages.
These sites collect information from downloaders and distribute malware. Kaspersky researchers found ones that add users to WhatsApp spam lists, some that come packaged with trojans, and some that distribute malware designed to get at banking information.
Fortunately, the solution to this problem is a simple one: make sure that you’re using the official URL. To use the web app, go to http://web.whatsapp.com/. You don’t need to download any apps or browser extensions – you only need to go to the correct page and sign in.
A while ago, someone discovered that you could crash someone else’s instance of WhatsApp by sending a message over 7 MB in size. After receiving the message, WhatsApp will crash every time the user tries to open the thread, and the only way to regain control of the app is to delete the thread. It was recently discovered that the same thing could be done by sending a much smaller message – only 2 KB in size – that contains a set of special characters.
Even if a message is backed up, restoring the conversation doesn’t solve the problem; it’ll still crash the app. This exploit works not just with messages to individuals, but also to groups, in which case every member of the group will experience the crash and need to leave the group and delete the thread. This might not sound like a big deal if you only use WhatsApp to organize rides to the bar, but many people use the app for business as well, which means this vulnerability could be a huge pain.
As of yet, there’s no way fix or defend against this exploit. Your best hope is that Facebook and WhatsApp quickly fix the problem before more people find out about it. Fortunately, however, this doesn’t seem to happen on every platform; so far, it’s only been seen on Android.
Bypassing Privacy Settings
Maikel Zweerink recently discovered that WhatsApp, even with the increased security that has been put in place recently, isn’t nearly as safe as we think it is. He showed proof that a simple app called WhatsSpy Public can monitor status messages, status changes, and user photos, as well as adjust security settings, even if the app’s owner has set the privacy options to “nobody” (you can see a small sample of the sort of information that the app can pull below).
Zweerink was experimenting with WhatsApp to create a bot, and was shocked when he found out how it could be used to track other users despite their privacy settings. He also wrote a detailed blog about the problems he discovered that is certainly worth a read. This is a particularly worrying development, even for an app that’s had a lot of worrying security problems recently.
As far as we know, there’s no way to protect against this, and we’ll just have to wait for the WhatsApp developers to find a way to fix it.
Spying on Other Users
WhatsApp recently debuted end-to-end encryption, making it much more secure than it’s been in the past. Despite this, however, there are still a few ways that other people can listen in on your conversations. There’s a piece of spy software called mSpy, for example, that sends reports on calls, browsing, text messages, WhatsApp conversations, and more, back to the owner of the app. All they have to do is get the app onto your phone which just takes a few minutes.
Paying close attention to the apps that are installed on your phone will help you catch spyware like mSpy, but MAC spoofing is a more insidious and harder-to-detect method of listening in on WhatsApp conversations. A phone’s MAC address is a unique identifier, and WhatsApp uses this address to route messages. By temporarily assigning someone else’s MAC address to your phone, you can intercept their WhatsApp messages (though they also get sent the intended recipient).
The best way to make sure that your messages aren’t being intercepted in this way is to not give anyone who you don’t trust access to your phone. It doesn’t take long to get the MAC address for a phone, and once you have it, it’s easy to spoof it from another phone. Detecting and preventing MAC spoofing isn’t easy, so not giving anyone the chance to do it in the first place is your best bet.
Should You Get Rid of WhatsApp?
WhatsApp is a great messenger app, but between Facebook’s ownership of it and the ever-increasing number of security worries, it’s looking like it might be a safer idea to use a more secure messaging app, like Telegram, a very popular alternative. While most users won’t find that they get taken advantage of because they’re using WhatsApp, the worry will always be there. And now that WhatsApp has been identified as a high-priority target for hackers, it might not be worth the risk.
Do you still use WhatsApp? Are you worried about the security vulnerabilities that have shown up over the past few years? Share your thoughts below!