Can You Get Hacked Through WhatsApp?

 

Who hasn’t heard of WhatsApp? If you own a smartphone, whether Android or iPhone, BlackBerry or Windows Phone, or even Symbian operating system, you have probably downloaded it at least once!

Launched in November 2019 by Brian Acton and Jan Koum, this app rules the social media world. To date, it is one of the most popular free instant messaging and voice-over IP apps being used globally. You won’t be surprised to know, that today, WhatsApp has more than 2 billion monthly active users worldwide.

So why does the public love to use WhatsApp? Well for one, it uses the Internet to send quick messages and allows users to engage with one another using a range of multimedia options such as text, images, video, and audio media. Moreover, it also allows you to create groups with up to 256 members, share your location with friends or family and create disappearing stories. To put it simply, it is so much more versatile as compared to regular texting.  

Do you know? WhatsApp has been downloaded 5,000,000,000+ times from Google Play Store alone.

The best part about this app is its feature where you can send unlimited photos or videos without any additional charges. It also has a feature that allows you to make calls over the internet for free.

In February 2014, Facebook acquired WhatsApp for approximately US$19.3 billion. Since then, the app has been introducing many new worthwhile features. On January 21, 2015, WhatsApp launched its new feature called WhatsApp Web. This is a browser-based web client that syncs to your mobile device's connection so you can use the app on your laptop or desktop, without having to touch your mobile! Pretty convenient right?

In April 2016, WhatsApp announced that its messages will now be end-to-end encrypted. This means that only the sender and the receiver of the message can see the contents and no one else. Not even WhatsApp can read or listen to them.

However, WhatsApp has had some privacy concerns over time.

Is WhatsApp Hackable?

WhatsApp is an app and like any other software, there are vulnerabilities in it and will always be. Although, the company makes sure any bug that compromises the security of WhatsApp is corrected as soon as possible.

The question of ‘whether WhatsApp can be hacked or not?’ is a concern for many smartphone users. Well to answer it in simple terms; WhatsApp has been hacked in the past, and there are many ways to hack WhatsApp now, but not all of them are legitimate. However, it is safe to say that the app uses end-to-end encryption on your messages, so they can’t be intercepted on their way. But any messages present on your phone will always be susceptible to hacking by different means.

The problem with WhatsApp is that it stores messages on the device and backs up on the server, which means if you lose your device, anyone who finds it can read all of your conversations without having to hack into WhatsApp servers.

In 2021, It was rumored that Facebook which is the parent company of WhatsApp is reading messages exchanged on the app. In an investigation done by ProPublica, it was discovered that Facebook has employed,

 “More than 1,000 contract workers filling floors of office buildings in Austin, Texas, Dublin, and Singapore, where they examine millions of pieces of users' content”.

 However, Facebook had an answer to this allegation. It claimed that these contractors only sift through reported content sent by people as evidence or content red-flagged by WhatsApp’s own algorithm.

Another common way to hack WhatsApp is by using spyware or malware that can be purchased online. This method can also be used to steal personal information from your device. To make sure no unauthorized person can see your WhatsApp chat, you must put a strong lock pin or password on your phones at all times.  You can also use WhatsApp’s Two-step verification option for greater security. At Acropolis Technology Group, we highly recommend Two-Step Verification at any chance you get.

In April 2019, Faustin Rukundo’s WhatsApp was hacked by a powerful software called Pegasus developed by the NSO Group. A simple missed call was used to send malicious code to Faustin’s phone which secretly installed spyware on his device. This spyware could remotely and secretly extract valuable intelligence from his cell phone, by sharing all phone activity including communications and GPS data with the hacker.

Ways Your WhatsApp Messages Can Get Hacked

Using WhatsApp Web

The web version of WhatsApp allows users to scan a QR code to log into their account. But before logging in, the user can check the option of ‘’keep me signed in”. Here is where a small vulnerability is exposed. Even after the user closes the web browser, he will still be logged into his WhatsApp account. Any person who later opens the browser can easily access the victim’s WhatsApp chat instantly, send messages around, export his chats, and basically do anything and everything with the victim’s WhatsApp.

To avoid such a dangerous situation, you must always log out of your WhatsApp account from all devices other than your personal one.

Using Verification Code Method

Each WhatsApp account is registered on a valid phone number of the user. To activate the app, the user must verify his/her phone number by entering a verification code sent on that number via SMS. Once the user enters the verification code in the app, he/she gets signed in.

Hackers have exploited this process to break into target WhatsApp accounts in the past. Here is how:

  1. The hacker enters the victim’s phone number on his mobile phone’s WhatsApp account.

  2. WhatsApp sends a verification code to the victim’s phone.

  3. The hacker sends a message to the victim’s number or inbox asking them to ‘send a verification code that they have accidentally sent on their phone’ by disguising as a family member or friend.

  4. The victim, unaware that the verification code really belongs to his number, forwards it to the hacker.

  5. The hacker quickly enters it into their device and voila! He now has full access to the victim’s WhatsApp account. Unfortunately, the victim gets automatically logged out of his WhatsApp on the device.

 This type of hacking is really dangerous as the hacker can impersonate the victim and send messages asking for valuable information or money from the victim’s contacts.

 To avoid this type of scam, one must never reply to messages asking for verification codes without proper investigation. Try ringing the person to find out who is on the other side!

 

Using Export Chat Option

This method of hacking is pretty simple and only requires access to your device by the hacker. The hacker, can open your WhatsApp, select a specific chat, and choose the ‘Export Chat’ option. He can then send all the chat data to any email account in the world very easily. The worst part is, that this type of hacking only requires a few seconds with your phone, and the hacker is done!

 

The solution? Protect your account with Fingerprint Lock so that only you can open your WhatsApp chat.

 

Using Paid Third-Party Apps

As discussed above, using paid legal apps to hack into a secure mobile device is another way in which someone can hack into your WhatsApp account. For the most part, it could be your spouse trying to spy on you or your curious parent wishing to figure out your current friend’s list.  But it could be even bigger agencies belonging to diplomats and governments who wish to target important journalists or activists.

 

Do You Know? Spyic and mSpy are the two most-used apps for WhatsApp Hacking!

 

Whoever they may be, they can hack your WhatsApp account easily by purchasing and installing the app on your phone. Once they activate it, they can snoop into your chats, contacts, location data, and so on!

 

Do You Know? PullOutCorrWhatsApp (POCWAPP) is an Android App available on the Dark Web. Created by a Chinese programmer Liugong 01, this program can hack WhatsApp remotely and within moments.

 

Using QRL Jacking

WhatsApp Web uses QR (Quick Response) code to log into the WhatsApp account.  In QRL Jacking, the hacker uses social engineering attack to hack into the victim’s WhatsApp account.  The hacker first creates a phishing web page with a cloned Login QR Code and sends it to the victim. When the victim scans that QR code, the attacker gets inside his/her WhatsApp account. In simple words, the victim has scanned the wrong QR code, letting the hacker hijack that particular WhatsApp session. Unfortunately, there is not much you can do to stay safe from a QRL jacking attack unless of course, you stop using QR codes!

Do You Know? The Open Web Application Security Project (OWASP.org) created a GitHub repository in April 2019. This repository hosted software tools to execute QRL attacks on apps along with proper instructions and a Wiki as well. There was also a list of apps that were vulnerable to QRL jacking and that included WhatsApp too.

Using a GIF to execute Remote Code

In this type of attack, the hacker uses a Gif Image to conceal malicious code inside it. When the user opens that malicious image, it triggers the code execution.  In this way, all data in the app’s memory can be accessed by the attacker.  This vulnerability affected WhatsApp versions below 2.19.244 and was discovered in November 2020. However, Facebook fixed the flaw in early 2021. The vulnerability was named CVE-2019-11932 and was discovered by a researcher called Awakened.

 

Sites Sourced: Do You Know? The Open Web Application Security Project (OWASP.org) created a GitHub repository in April 2019. This repository hosted software tools to execute QRL attacks on apps along with proper instructions and a Wiki as well. There was also a list of apps that were vulnerable to QRL jacking and that included WhatsApp too.
OWASP Foundation | Open Source Foundation for Application Security
OWASP Foundation, the Open Source Foundation for Application Security on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.

 Written by: Adnan Ahmed

Infographic by: Maria Berra