WhatsApp, the group calling, file sharing and messaging service bought by Facebook for an incredible $19 billion in 2015, has become one of the most popular apps for Android and iPhone users worldwide. More than one-sixth of the world population, some 1.3 billion users, use it to stay in touch with friends and family. It's popular as well in commercial and governmental communications, and has been the go-to platform for many activist groups around the world seeking a secure communication channel.
According to its website, “…we built end-to-end encryption into the latest versions of our app. When end-to-end encrypted, your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.”  Sadly, Kapersky Labs recently discovered that WhatsApp users, primarily in Italy, have been infected with malware that turns an Android phone into a surreptitious listening device and allows unregistered hackers to secretly listen into conversations and steal private messages.
This malicious malware version, only recently discovered, is known as SkyGoFree and has been in the wild since 2014. Attackers can take videos and pictures, access the phone's location and seize call records, all exposing the victim to any number of compromising situations and—for business and government users—could expose trade secrets and classified government material. Even a darker threat, a rogue government organization could wield its might and compel WhatsApp to give them access to supposedly private conversations. Skygofree has been described by Kaspersky Lab as “one of the most powerful spyware tools that we have ever seen”.
Cryptographic experts, among them the Real World Crypto Symposium members, have recently identified design flaws in similar messaging apps, including the open source product Signal, and the Swiss app Threema—both popular apps each boasting a sizable user base.
According to a comScore white paper  published recently, mobile devices now account for about two-thirds of online activity. In a sense, it's surprising that bad actors haven't focused their malware on mobile messaging apps until so recently. That new focus, though, is only bound to increase as mobile devices claim an even greater share of market.
Beyond Security Hacks
Security risks are only part of the problem. With bad actors targeting WhatsApp and similar tools, Companies and organizations face a plethora of threats when laws and regulations are violated. A few examples:
Compliance risk is the risk that accrues when an organization has violated a law or regulation. A variety of rules, HIPAA perhaps being one of the most visible, can bring fines and other sanctions if Personal Health Information is improperly transmitted or disclosed.
Intellectual property leaks can damage a company and its competitive position in a market.
FINRA Regulatory Notices such as Notice 17-18 provides a set of mandates around communication and maintaining records of such communications.
MiFID II, Article 16 requires that firms take all reasonable steps to avoid communications over channels that cannot be secured.
The FDA's Social Guidance specifies that firms are responsible for the content generated by their employees or agents (physicians, key opinion leaders, marketing agencies, etc.) acting on its behalf. Such content can include messaging, text and other material transmitted via WhatsApp.
How SafeGuard Cyber Can Help Protect WhatsApp and Other emerging digital channels
The malware SkyGoFree which can infect WhatsApp has many features such as the ability to automatically record conversations and ambient sound when an infected device enters a location specified by the person operating the malware. What caught our attention, though, was the never-before-seen ability to steal WhatsApp messages. Because Safeguard Cyber interacts with WhatsApp, we store all the content even in the case the device is infected. No messages would be actually lost. We provide a full audit trail of content generated even if it has not been sent, ensuring that a malware such as this does not disrupt your risk surveillance programs.
Disappearing messages are, however, not the only risk—nor is WhatsApp the only mobile phone social app that is targeted. Because we have access to the content pre-post, we can monitor other aspects of WhatsApp, including the content itself for regulatory risk, malicious links, images and attachments that pose risks for the organization and for the individual user.
While it is important to know about the dangers hackers have brought to WhatsApp users, the issue is larger than a single app. Enterprises often have several that are adopted as mobile devices are becoming the target for bad actors. Each mobile device is an “end point” that exists outside your firewall. Yet, you can't afford to protect all these individually and you need an architecture that ensure all are easily monitored. To the extent your employees' phones can be hacked, whether through WhatsApp or some other channel, your organization is at risk. Contact us today to request a free demo.
July 6, 2020