After WhatsApp attack, how vulnerable are your apps?

After the discovery of a targeted surveillance attack by hackers on messaging app WhatsApp, we consider how this attack could have happened, and what practical steps you can take to check the vulnerability of apps on your phone.

Phone and applications

According to media reports, WhatsApp discovered a surveillance attack targeted at selected users – reportedly journalists, lawyers and human rights experts – effected through the remote installation of surveillance software on mobile devices, exploiting a significant vulnerability in the messaging app.

It has been reported that the security flaw was exploited using WhatsApp's voice calling function to ring a target's device. The surveillance software would be installed even if the call was not taken, and the call would disappear from the call log.

How could the attack have happened?

The iOS attack is a clever code injection attack, allowing the attacker to inject code into the application via the VOIP (the communication of voice, data or video content over internet protocol networks) capability of the app. This attack allows the attacker to perform any action they want to on the device.

The android app has inside it a function call named 'DexClassLoader' that can run downloaded code and so this type of attack was previously theorized but maybe not exactly how it happened in this case. Any app with DexClassLoader within it is vulnerable to attack by the developer or someone who works out how to use it.

What security issues are there with apps?

From our regular testing of mobile applications we’ve identified these issues:

  • Adware malware in the app
  • Excess or unused permissions
  • The ability to download and run code at will on your device
  • Trackers in most apps: from 4 to 30+
  • Taking of identification data from you, your device and your SIM
  • Connections to over 50 network endpoints – often outside Europe and the US -  within 10 seconds of an app starting
  • Developers can be covering their costs by selling your data
Best practice and checks you can follow with Android apps

1. Install the Exodify chrome plugin on your pc

a. Using this look through the apps you have installed on the Google Play store

b. Consider removing apps with more than 15 trackers

2. Test any side loaded apps on VirusTotal before installation

3. Get a copy of DNS66: this will block many adverts and save around significant amount of your data each month

4. Install the NetGuard VPN or equivalent:

a. Enable monitoring and packet capture

b. For one app at a time monitor what communications it performs

c. You can turn internet access off for individual apps

5. Install Process Monitor for Android 6 and less:

a. This shows apps burning the battery: a number have been found, including Netflix and Chrome, continuously scanning the SD card

About QinetiQ Mobile Application Security Testing:

We can test a range of mobile applications:

  • Do applications contain issues?
  • Are the devices secure in relation to malware, networking and can they extract personal information?

For more information, please contact us