With 19 billion dollars Facebook could have purchased damn near anything including the Hubble Telescope, a large hadron collider, an aircraft carrier, or Jamaica. Instead Facebook bought the mobile message company WhatsApp. Neither company is well known for their robust privacy features and early in this marriage Facebook and WhatsApp will need to address a pretty fundamental privacy issue.
It would seem that there is little in the way of security in the WhatsApp application framework despite a vulnerability being widely exposed in December of 2013. It was discovered that a game hosted on Google Play called Balloon Pop 2 was secretly stealing entire conversation histories from WhatsApp applications, including profile photos and photos shared in conversations. The Balloon Pop 2 "game" managed to infect hundreds, possibly thousands, of device before being removed from Google Play but can still be found on third party app stores and the developer's website, WhatsAppCopy.com. The fake Balloon Pop 2 game may have been removed from Google Play but the theft of WhatsApp messages is ongoing and the number of victim's is growing daily.
Advertised as a "backup" service for WhatsApp the reality of WhatsAppCopy.com is much more sinister. Not only does the "backup" of WhatsApp messages happen completely without the victim's knowledge, but once the WhatsApp messages are uploaded to the server they become publicly accessible. Anyone can view an abbreviated history of the victim's WhatsApp conversations by entering the victim's phone number into the WhatsAppCopy website. WhatsAppCopy allows anyone to purchase the full "backup" of their conversation history or, more likely, purchase someone else's full conversation history, including photos.
The methodology used by the developers of WhatsAppCopy to steal users' messages is far from complex. The fake Balloon Pop 2 game simply uses an absolute pathway to access the WhatsApp databases and profile pictures. This remains unchanged from when the malware was first reported in December.
The stolen data is then compressed and uploaded to the WhatsAppCopy website where it is distributed to any paying customer.
So why hasn't WhatsApp done anything to secure their users data? It's been nearly three months since this malicious application was reported and still users are having their messages stolen daily.
All of the estimated 450 million monthly active WhatsApp users are vulnerable to having their conversation histories stolen. The developers of the WhatsAppCopy malware appear to be based in Spain and so far Spanish WhatsApp users are most affected. WhatsApp has a very strong user base in Europe and Asia, two places that have a long history of PC and mobile malware. If the worldwide WhatsApp user base continues to expand to the 1 billion mark, as predicted by Mark Zuckerberg, then more malware targeting WhatsApp is inevitable.
Neither WhatsApp nor Facebook have immediately responded to email requests for comment on this matter. We will continue to monitor this situation and provide updates accordingly.♦
UPDATE 3/3/2014: WhatsApp has responded the request for comment on the malicious WhatsAppCopy website and said simply "we are working on getting this website disabled." They did not expand on how they plan to disable to website or if they plan to modify the WhatsApp application to increase security.
UPDATE 3/13/2014: WhatsApp have released an official statement regarding the vulnerability that has allowed this malware possible.
"We are aware of the reports regarding a "security flaw". Unfortunately, these reports have not painted an accurate picture and are overstated. Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk. As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies. The current version of WhatsApp in Google Play was updated to further protect our users against malicious apps."
But unfortunately for WhatsApp it doesn't appear they have aactually fixed the problem. According to Security Researcher Bas Bosschert the Proof of Concept (PoC) malware he created to test this vulnerability still works. Bosschert writes in his blog that:
"In their newest update they changed their encryption scheme which saves the database to msgstore.db.crypt5 on the SD card. I claimed that my original PoC still works after the update, but after the first nightly backup I also had the crypt5 databases. They also stopped using a hardcoded key for all devices, and instead use the Account Name to create a device (account) unique encryption key. Which seems to be a big step forward, but it only means we also have to steal the Account Name and we can still read the WhatsApp chats."
The actual WhatsAppCopy malware discussed in this article, which should be differentiated form Bosschert's PoC malware, continues to harvest WhatsApp messages from users although these victims may not have installed the new official WhatsApp update.
More on this story as it continues to develop....
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email:James@ArmorforAndroid.com; Twitter:@James_AfA