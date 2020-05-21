Today it is impossible to imagine the world without WhatsApp, and by extension without instant messaging applications. It would be impossible to go back to the pre-smartphone era, where people chatted over SMS. WhatsApp is an application used by more than 2 billion people a month, which means that 1/3 of the entire world population converse through it. For this reason, the idea of ​​losing your account is terrifying. But it turns out that stealing your WhatsApp account is possible.

How to hack a WhatsApp account

In the last entry of the personal blog of Chema Alonso, the well-known Spanish hacker and expert in cybersecurity, these three methods are specified. An entry written by the way by Yaiza Rubio, another security expert, a cooperator with INCIBE (the Spanish National Cybersecurity Institute) and the first Spanish hacker to give presentations at events such as DEF CON or Black Hat Briefings.

WhatsApp problem starts from use a phone number as a method of registration of account apparently more secure than usual, email and password, something that WhatsApp does.

By SMS message

When you install WhatApp on a mobile, when creating the account you are asked for a phone number to associate it with. So, if you ever want to reinstall the app on another device or simply do not remember the login or password, WhatsApp offers you 2 methods to send you the verification code you need. Now imagine that suddenly an SMS message arrives with that code that you have not requested.

Since it is your number, only you can see the SMS messages sent to your phone number. But the problem is that if you don’t delete that SMS, it stays in the folder, and someone who takes control of your mobile remotely could read it, which is possible:

– If you have been the victim of a scam by Phishing, link, malicious web, etc. that you you have installed malware that allows a hacker to see any item on your mobile

– If you have downloaded a malicious or vulnerable application and you have given permissions to access the terminal’s SMS

– Through the SIM Swapping Scam, a multi-step method of cloning SIM cards

– For a WhatsApp Contact, The same hacker can deceive you by posing as a contact of yours, such as the scam that the Navarra Police denounced in 2018

By phone call

When the verification code is sent by SMS, if it takes more than a minute to enter it, WhatsApp calls the phone number you have registered to indicate the verification code by voice. In case the cybercriminal physically had the mobile in his hands, he could take the call and know the code. In fact it does not matter if the terminal is locked, because it is not necessary to unlock it to answer a call.

Another variant would be that the hacker does not physically hold the mobile in his hands, but he did hack it remotely. exist Trojan viruses like Android.Bankosy, an old acquaintance from the banking scene who can temporarily divert calls from a mobile and also collect important data from those calls, such as passwords.

By voicemail

If the verification code sent by SMS is not entered in 1 minute, then WhatsApp calls you. If you don’t pick up the call, the app service leaves a message on your voicemail, which thus becomes another source of data for the hacker. Again, if the cybercriminal has the victim’s cell phone in hand, just call the voicemail of that phone number.

But if you don’t have it, then you can call the voice mailbox of that phone number from another mobile, which implies that the voicemail will ask for the security PIN code to let you hear your messages. If the hacker does not have it, he can “resort to statistics on the frequency of use of PIN numbers, where 1234 is the most frequent, followed by 1111 and 0000”. Although if you put three times wrong PIN code, the call hangs up automatically.

Same telegram

Telegram, the second after WhatsApp in messaging apps, also allows sending a verification code for a Telegram account through SMS. What if in 2 minutes has not been entered, it also makes a call, except that Telegram does not leave messages on voicemail. Therefore, 2 of the 3 methods that are tested are used to steal WhatsApp accounts also work with Telegram.