Industry News

Fake WhatsApp app may have been built to spy on iPhone users – what you need to know

Fake WhatsApp app may have been built to spy on iPhone users - what you need to know
  • Fake WhatsApp appears to have been used in targeted attacks
  • Users reminded to always be wary of where they install apps from

What’s happened?
A fake version of the WhatsApp messaging app is suspected of being created by an Italian spyware company to snoop upon individuals and steal sensitive data.

Who is behind the fake WhatsApp?
The bogus app, uncovered by cybersecurity researchers at Citizen Lab and journalists at Motherboard, appears to be linked to an Italian firm called Cy4gate which develops “lawful interception” technology.

“Lawful interception?” Do you mean spyware?
Yes, it’s spyware – but spyware that is created by firms to sell to law enforcement bodies, intelligence agencies, and governments.

How do we know this type of spyware might not be abused? Can the people who buy spyware from Cy4gate be trusted?
Good question.

And the answer is?
Your guess is as good as mine.

So, what does the fake WhatsApp actually do?
Information that hackers could gather from an iPhone running the app includes (but is not limited to) the device’s unique identifier (known as a UDID, and assigned by Apple) as well as its unique IMEI.

How would that information be useful?
Well, it might help point an intelligence agency in a particular direction, towards a specific individual.

But does the fake WhatsApp app steal any more data from iPhones?
The researchers at Citizen Lab were not able to gather details on what other data an attacker might be able to steal from a targeted iPhone running the fake version of WhatsApp.

However, it’s hard to imagine that having installed a fake version of WhatsApp onto a target’s phone they wouldn’t at least try to do a lot more, such as spy upon messages they might be sending and receiving as well.

How would a fake WhatsApp app make its way onto an iPhone anyway? Has the version in the iOS App Store been compromised?
Generally Apple does a pretty good job of policing what gets into its official app store, and keeping out bogus software. However, many iPhone users are probably unaware that it is possible to install software onto an iPhone via a different route.

In the case of the bogus WhatsApp software, social engineering tricks are used to dupe users into installing configuration files (known as MDM or Mobile Device Management profiles) onto their phones, and these can install unauthorised malicious code onto an device.

Citizen Lab shared a screenshot of a phishing page which appeared to be linked to the attack, directing users to download the bogus version of WhatsApp and follow the instructions to install the configuration file.

Why on earth does Apple allow people to install software this way? It sounds unsafe!
The technology was put in place to help corporations install bespoke software that wasn’t appropriate for the public App Store onto employee’s devices – but for some time there have been attempts to use it to install spyware.

Should I be worried? I use WhatsApp all the time
Probably not. This is likely to have been a highly targeted attack. Whoever was behind the fake WhatsApp is likely to have built it with a very specific purpose in mind, not with the intention of infecting as many iPhone users as possible.

Nonetheless, it’s a useful reminder that if you want to run the legitimate version of WhatsApp, the most sensible thing to do is is to install it from the official iOS App Store.

At least I’m alright, I use Android not iPhone!
Don’t speak too fast. In November 2017, it was discovered that over one million Android users had been duped into downloading a bogus version of WhatsApp that had been published in the official Google Play store.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.