All it took was a missed call and WhatsApp could be comprised. You didn’t even have to answer the call. That simple. The Facebook-owned messaging app that is used by 1.5bn people around the world could be that easily compromised. It’s a major blow for both a smartphone security and Facebook, whose CEO Mark Zuckerberg this year has vowed to pivot it to his “privacy-focused vision for social networking”.
That didn’t take long. Facebook’s new plan to be more secure lasted just two months since Zuckerberg’s pronouncement in early March about this shift after 2018’s annus horribilis.
“Within minutes of the missed call,” wrote the Financial Times which first revealed the exploit, “the phone starts revealing its encrypted content, mirrored on a computer screen halfway across the world. It then transmits back the most intimate details such as private messages and location and even turns on the camera and microphone to live-stream meetings.”
Wow. And the target wouldn’t even know they had been comprised.
The circumstances are quite particular – a UK human rights lawyer involved in a law suit against the Israeli software company that made the malware – but the implications are much wider.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” WhatsApp quickly said. “We have briefed a number of human rights organizations to share the information we can and to work with them to notify civil society.”
Remember WhatsApp has 1.5bn users whose security could be compromised. Given how important privacy is to Zuckerberg’s new vision for his messaging monopoly and the much-vaunted end-to-end encryption that WhatsApp offers, it has major implications for the trust relationship Facebook is trying to reinvent after Cambridge Analytica.
Not surprisingly, malware attacks have increased on smartphone since they became the dominant form of personal computer. The attacks have focussed, equally unsurprisingly, on banking apps.
Incidents of mobile banking fraud doubled from 2017 to 2018 from January to August, according to the South African Banking Risk Information Centre’s (SABRIC) inaugural digital banking crime statistics report. “We are all too aware that the advent of digital technology has seen the exploitation of digital platforms by criminals,” the report states.
The industry saw R250 million in gross losses in 2017 in 13,438 incidents using banking apps, online banking and mobile banking; while SIM swops increased 104% in the same period.
Meanwhile, South Africa was the second-most targeted country for banking malware using Android smartphones, behind Russia, according to security firm Kaspersky Lab, which held its annual Cyber Security Weekend in Cape Town. Malware attacks increased by 22% in the first quarter of 2019 compared to the year before, with 13,842 cyberattacks a day. That equates to 577 attempted attacks every hour, or around nine every second, says Amin Hasbini, Kaspersky’s head of global research and analysis for in the Middle East, Turkey and Africa.
If you weren’t feeling paranoid, you should be. As I have argued earlier this year, seriously consider ditching WhatsApp and using the more secure Telegram and Signal messaging apps.
This column first appeared in Financial Mail