Everything you need to know about WhatsApp Security and Video Call Breach

Whatsapp is definitely one of the most popular social messaging applications in the world. In fact, as of last year's data, more than 70 million people in India uses Whatsapp which is over 56% of the internet users in the country. Again, this was last year. I would make a safe assumption that more than 90% of smartphone users in India use Whatsapp. In May and June this year, a Whatsapp video call scam was doing the rounds among Whatsapp users, especially in India. And the scam is back!

Since the day Whatsapp announced their new video calling feature, a group of scammers has taken advantage to trick gullible users for data and money. I am sure a lot of us have already received a message that looks like this:

                                            whatsapp video call scam

Once you click on this, it takes you to an unsafe website (as highlighted by many web browsers) and then asks you to share this with fours friends to enable the video call feature. Let's dive deeper to see what's happening here:

This particular domain name is registered in Mumbai and has 11 more domain names that it connects to as mentioned in http://whatsappcall.co/js/invite.js

var domains = ['whatsappvideoactivate.com', 'whatappvideoenable.com', 'whatappvideoonline.com', 'whatappvideofeature.com', 'whatappvideostart.com', 'whatsappcall.co', 'video.whatsappcall.co', 'whatsapp-videocalls.co', 'whatsapp-videocalls.com', 'videocall-whatsapp.co', 'video-whatsappcall.com'];

Now what happens is that this website invokes the Whatsapp application on your phone and displays this message:

window.location.href='whatsapp://send?text=*You\'re invited to try Whatsapp Video Calling feature.* %0D%0A%0D%0A Activate at: %0D%0A ???? http://' + domain + '/ %0D%0A%0D%0A_Only people with the invitation can enable this feature_';

I want you to notice that the URL doesn't have a http: or https: rather it has whatsapp://

The domain is picked randomly from the list of 11 domains shared above. Next, this application prompts the following message:

window.alert("ONE LAST STEP\n\nDownload partner app OR click YES on next page");

Which takes you to this page: http://realmob.co/app.html going through multiple redirects:

             whatsapp scam


whatsapp scam calls


whatsapp scam video calls

then, that is redirected to

whatsapp scam video calls

and finally, the last redirection to

whatsapp scam video calls india

Now Appfly is managed by https://www.appfly.com/ which according to their website description is "a global app distribution platform that helps publishers monetize their mobile traffic while providing advertisers with high-value users." Basically, it is an affiliate and ad network for app publishers.

How Malware Can Be Spread Through WhatsApp Messages Like Videos, Text?

WhatsApp is generally considered as one of the safest messaging apps ever built. However, in the recent past, hackers have seemed to break this myth entirely. It has been found that hackers can send viruses, malware and even Trojan horses through WhatsApp messages. Let's see how. 


1. Through Videos:  Recently, cases have been discovered when hackers have attempted to breach data security by sending malware through video messages on WhatsApp. At first, they send you a link to malicious video content or even some video attachment. Chances are that once you click on the link or download the attachment, your data privacy gets compromised. 


2. Through Images:  In the past, hackers tried to send malicious multimedia content through cellular services. But that whole process was difficult and risky. WhatsApp, on the other hand, made things easy for them as they could now transfer malicious image content to users without any hassle. The only thing users can do is to not download the content sent by unknown people, especially messages and images which seem to offer lucrative deals and offerings. 


3. Through Calls:  It seems a bit weird that malware could be spread using WhatsApp calls. But it's really true indeed. A bug in the messaging app allowed threat actors to inject Israeli malware to phones across the globe through WhatsApp calls. 


The malware was developed by a secret Israeli company called NSO Group. The most interesting thing about this case is that the malicious code could be spread even if the users didn't answer their calls. Moreover, the calls soon disappeared from the user's log as well. 

Loopholes in WhatsApp Security 

Despite having a robust security policy and continued efforts towards security, WhatsApp has always been on the radar of threat actors who are constantly craving for sensitive information that is shared across this platform in huge volumes. Here are some of the major security loopholes that have been discovered in WhatsApp in the recent past:

1. Messages can be Accessed Remotely

This is a big threat to your privacy. One security expert Bas Bosschert has discovered that WhatsApp backs up messages on Android in an insecure way that can be stolen and read by others through downloaded Android apps. However, this is only possible if you are allowing WhatsApp to keep a backup of your messages on the SD card. In case you have your message backup option turned off during the initial setup, then your messages are safe. But if not then, your messages are in danger.

In order to prevent this attack, you must clean the app from your phone and then install WhatsApp all over again. This time don’t forget to turn off message backup when asked during the installation setup.

2. It Allows Strangers to See your Profile Picture Even After you Change your Privacy Settings

Another security bug that has been discovered allows strangers to see your profile picture irrespective of your privacy settings. This means even if you have opted for ‘Contacts only’ then also WhatsApp lets everyone see your profile photo. This bug has been discovered by a 17-year-old security researcher named Indrajeet Bhuyan. This problem occurred because the smartphone app could not be synced properly with the new web interface version.

3. The Web App Shows Photos that have been Deleted

The same researcher, Bhuyan also discovered that even when you delete your WhatsApp photos, the web saves them indefinitely. This is the reason why you see the blurred photos in your WhatsApp chats after you have deleted them. The web version of WhatsApp that was introduced last month still doesn’t follow the security measures that were taken for the mobile version.

4. Fake WhatsApp Web is Spreading Banking Trojans

WhatsApp has introduced its web version last month which gives the users the ability to read and send messages directly from their web browsers. Malicious hackers have taken advantage of this latest WhatsApp Web and have spread a fake WhatsApp Web Banking Trojan. This Trojan hacks into the confidential information that users have on their private phones.

5. Hackers Gain User's Mobile Numbers and Run Scam Campaigns

Researchers have also found that Hackers brought out other promising but unofficial desktop versions of fake WhatsApp Web for the Arabic and Spanish speakers. They portrayed this fake WhatsApp Web as the legitimate version of the app and then extracted the users’ mobile phone numbers. As the users’ submitted their mobile number for downloading the fake WhatsApp Web, the hackers get their number. They then run spam campaigns on their number or make the users unknowingly subscribe to premium rate services.

Final Thoughts

Despite being the favourite messaging app of users, WhatsApp has its own fair share of security flaws. And without a doubt, these vulnerabilities can cause serious trouble for users if not addressed properly. While WhatsApp is constantly fighting the battle with threat actors to remain ahead in the race for security and privacy, it is also the responsibility of the users to stay cautious while sharing their sensitive information over the platform and adopt the best security practices.

Published on Nov 16, 2016
Subho Halder
Written by Subho Halder
Subho Halder is the CISO and Co-Founder of Appknox. He started his career researching Mobile Security. Currently, he helps businesses to detect and fix security vulnerabilities. He has also detected critical loopholes in companies like Google, Facebook, Apple, and others


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now