Undoubtedly WhatsApp is the world’s most popular instant messaging app. This makes it one of the top targets for cybercriminals around the world. With multiple data breaches on Facebook, it’s raising an alarm regarding the safety and privacy of the users.
Just recently, WhatsApp’s security vulnerabilities were exploited to inject Pegasus spyware and snoop on 1,400 individuals around the world. Facebook has now confirmed another security vulnerability which involved sending malicious MP4 video files.
The new vulnerability shows how simple things such as MP4 videos could put users’ data at risk. In the case of Pegasus as well, spyware could be injected through mere WhatsApp video calls, even if the receiver hasn’t picked up the call.
Let’s take a look at some of the recent vulnerabilities that were exploited by hackers using popular file formats on the platform.
WhatsApp in May this year confirmed a spyware attack via audio calls. The bug in WhatsApp audio calling feature enabled hackers to install spyware onto Android and iPhones by mere calling the target. WhatsApp fixed the bug and asked users to update the application on their phone.
“The bug can be exploited based on a decades-old type of vulnerability – a buffer overflow,” Carl Leonard, Principal Security Analyst at cybersecurity company Forcepoint, had said.
“While no details of the actions taken by this malware have emerged, one could assume that an attacker may seek out bulk contact lists, email data, location data or other personal information.”
GIFs are quite popular across social networking platforms. Hackers, however, found a workaround to hack victim’s phone by sending malicious GIF files.
If successful, hackers could have obtained remote access to the victim’s phone. The bug, now fixed, affected users running Android 8.1 and Android 9 versions.
“The key point that the [vulnerability disclosure] makes is that this issue affects the user on the sender side, meaning the issue could, in theory, occur when the user takes action to send a GIF. The issue would impact their own device,” WhatsApp confirmed the bug.
Security firm Check Point in August this year pointed out an old WhatsApp vulnerability could allow altering messaging using the popular “quote” feature.
Leveraging social engineering tactics to fool end-users, hackers could send a private message to a group participant disguised as a public message.
Free 1,000GB data scam
Researchers from cybersecurity firm ESET earlier this year discovered a scam that involved luring users with a fake message that WhatsApp was giving away 1,000GB of internet data free on its 10th anniversary.
The campaign also included a malicious URL aimed at racking up bogus ad clicks. In 2017, a similar scam campaign made the rounds that promised to give away free data.