Yesterday, a friend of mine said he had just installed Facebook’s WhatsApp on his cell phone after hearing that the software powers more private communication. He urged me to do the same – but a nagging voice in the back of my head said, “Don’t go there.”
I thought I remembered reading some headlines about some or another WhatsApp scandal so I took a quick shallow dive while my pal and I were still talking. The shockingly bad news surfaced immediately.
“Get a load of this,” I told my friend. The first headline, from mid-November 2019, is “New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware On Your Devices.” The first paragraph of the article said the company was in trouble – “again.”
“Ho ho ho,” I thought, “what’s up with WhatsApp?”
For one thing, in October, WhatsApp fixed “yet another critical vulnerability” without a lot of fanfare. This programming flaw could have allowed attackers to access remote devices and possibly even steal “secured chat messages and files stored on them.”
By this time, I told my friend in no uncertain terms that this WhatsApp is bad news and should be purged rather than installed. After we hung up, I dove deeper. What I found might disturb my more sensitive readers. You have been warned.
A 2017 survey said WhatsApp had 1.3 billion active monthly users. On August 9, 2019, that customer number had risen dramatically:
“As of the latest reported period, WhatsApp had more than half a billion daily active Status users worldwide, up from 450 million global DAU in the second quarter of 2018.”
India has a Computer Emergency Response Team (CERT) that recently uncovered a “dangerous bug” on WhatsApp exploited by a remote attacker who sent a compromised video file in MP4 file format to targeted phones.
CERT revealed that the threat has been categorized as a “High Severity” issue which affects Android and iOS device users. In Geek Speak, the problem is:
“A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. A remote attacker could exploit this vulnerability by sending a specially crafted MP4 file to the target system.”
A WhatsApp security message said that triggered buffer overflows can allow hackers to execute their own code. Worse, the vulnerability requires no form of authentication from the victim’s device. The malware self-executes after downloading a prepared malicious MP4 file on the recipient’s system. Anyone with access to a user’s cell phone number being used for WhatsApp is at risk of being hacked.
The WhatsApp security message also revealed that the software weakness could lead to data theft:
“Successful exploitation of this vulnerability could allow the remote attacker to cause Remote Code Execution (RCE) or Denial of Service (DoS) conditions, which could lead to further compromise of the system.”
An RCE attack is typically used by intruders to run malicious software on an unauthorized device. The malware is designed to steal information from the device without the user’s knowledge or consent.
Then, I chanced upon this chilling story out of Leeds, England. Faustin Rukundo, an exile from Rwanda, received a phone call over WhatsApp last April. The caller ID indicated an unfamiliar number but Rukundo answered anyway. The line was silent before it went dead.
Rukundo redialed the unidentified number but there was no answer. The curious man conducted an online search and determined that the call came from Sweden. That was the end of it – until a second call came in from the same number. Again, no one spoke before the call dropped.
Seeing missed calls from other unknown numbers on his phone, Rukundo purchased a new one. He was now concerned about the safety of his family.
Within 24 hours, the unknown number called Rukundo on his new phone. By the time he answered, the caller hung up. Whenever he dialed the number, no one picked up. Rukundo said he realized something was wrong when he noticed files were missing from the phone. And he wasn’t alone. Other opponents of the Rwandan regime had been targeted for hack attacks:
“I spoke to my colleagues at the Rwanda National Congress and they too had similar experiences. They were getting missed calls from the same numbers as me.”
Rukundo wised up after watching a BBC show about the WhatsApp hack and realized he was a victim. Changing phones did no good because the criminals “were following my number around and putting the spy software on each new device by calling the same number.”
Some 1,400 people are thought to have been targeted by hackers exploiting this WhatsApp vulnerability.
That number is probably low. It was easy to find this website which gives detailed instructions on how to hack WhatsApp chat history, messages or account, be it Mac, Android or iPhone.
Another WhatsApp Hack guide will show users how to break into an unsuspecting user’s phone without touching it.
This is one cell phone user who won’t be downloading WhatsApp. It’s from Facebook, for crying out loud.