Skip to content
Naked Security Naked Security

WhatsApp goes after Chinese password scammers via US court

If you can't beat 'em, sue 'em!

If you can’t beat ’em, sue ’em!

Actually, the original quote doesn’t quite go like that, but you get the idea: if you can’t stop people downloading bogus, malware-tainted apps that pretend to be backed by your powerful, global brand…

…why not use your powerful, global brand to sue the creators of these rogue malware-spreading apps instead?

This isn’t a new technique (legal action by IT industry giants has helped to take down malicious websites and malware distribution services before), and it won’t stop the next wave of perpetrators from taking up where the last lot left off.

But anything that makes it more difficult for malware peddlers to operate in plain sight is worth a try.

WhatApp on the offensive

WhatsApp, together with its parent company Meta, has started legal action against three companies whom it claims “misled over one million WhatsApp users into self-compromising their accounts as part of an account takeover attack.”

Loosely speaking, self-compromise in this context refers to app-based phishing: create a bogus login dialog that keeps an unauthorised copy of anything you enter, including personal data such as passwords.

As you can probably imagine, and as WhatsApp claims in its court filing, the primary value of these compromised accounts to the alleged infringers was that they could be used for “sending commercial spam messages”.

Unlike the email ecosystem, where anybody can email anybody (or, in the case of bulk message senders, where somebody can email everybody), messaging and social media apps such as WhatsApp are based on closed groups.

This sort of online world isn’t anywhere near as easy for spammers and scammers to infiltrate.

Indeed, we know plenty of people who hardly use email at all any more, preferring to communicate with friends and family via exactly this sort of closed group, mainly because it sidesteps the flood of intrusive and unwanted garbage they face via email.

Of course, the flip-side of a closed-group messaging ecosystem is that you’re more likely to believe, or at least to take a look at, stuff you receive from people you know.

You’re unlikely to open documents or click on links that clearly came from an email sender you’ve never met before, don’t want to meet, and never will…

…but even if you know that your cousin Chazza is prone to sharing groanworthy memes and eyebrow-lifting videos, you probably still take a look at them, because you know what to expect already, and, hey, it’s your cousin, not some totally random online sender.

In other words, if scammers can get into to your social media accounts, they not only get access to your people-I’m-happy-to-chat-to list, but also acquire the ability to spam that list of people-who-are-happy-to-hear-from-you with messages that were apparently sent with your blessing.

IUnfortunately, it’s not enough just to trust the sender, because you have to trust the sender’s device and their account as well.

Social network spamming and scamming based on compromised accounts is a bit like Business Email Compromise (BEC), where crooks go to the trouble of getting access to an official email account inside a company.

This means they’re in a position to trick the employees of that company much more convincingly than they could as outside senders:

Named and shamed

WhatsApp named three companies in the lawsuit, operating in South East Asia under three different brand names.

The companies are Rockey Tech HK Ltd (Hong Kong), Beijing Luokai Technology Co. Ltd (PRC), and Chitchat Technology Ltd (Taiwan).

The brand names under which WhatsApp alleges they peddled fake apps and addons are HeyMods, Highlight Mobi, and HeyWhatsApp.

Very simply put, WhatsApp is arguing that the defendants knew perfectly well that their behaviour did not comply with Meta’s various terms and conditions, and that the purpose of violating those terms and conditions was to get access to and abuse legitimate users’ accounts.

The court document filed by WhatsApp includes a screenshot of the allegedly rogue app called HeyWhatsApp Android that ended up on alternative Android download market Malavida, where the app description quite openly warns users:

WhatsApp does not authorise the user of these [modification tools] at all, so downloading HeyWhatsApp […] can lead to being banned from the service […] Neither does it guarantee correct functioning, meaning that we often encounter a lack of stability.”

Other rogue apps in the lawsuit, says Meta, were available in the Google Play Store itself, meaning not only that they received Google’s official imprimatur, but also potentially reached a much wider audience (and probably an audience with more cautious attitudes to cybersecurity).

One of these apps was downloaded more than 1,000,000 times, say the plaintiffs, and a second app exceeded 100,000 downloads.

As WhatsApp wryly states, “Defendants did not disclose on the Google Play Store or in its Privacy Policies that this application contained malware designed to collect the user’s WhatsApp authentication information.”

(As an equally wry aside, we can’t help but wonder how many people would have installed the app anyway, even if the defendants had admitted in advance that “this software steals your password”.)

What to do?

  • Avoid going off-market if you can. As this case reminds us, plenty of malware makes it past Google Play’s automated “software vetting” process, but there are at least some basic cybersecurity checks and balances applied by Google. In contrast, many off-market Android download sites quite deliberately take an “anything goes” approach, and some even pride themselves on accepting apps that Google rejected.
  • Consider a third-party cybersecurity app for your Android. Apps from cybersecurity specialists help you detect and block a wide range of rogue websites and malicious apps, even if Google’s Play Store lets them through. (Yes, Sophos has one, and it’s free.)
  • If it sounds too good to be true, it is too good to be true. Do you really need to change the WhatsApp colours? If the official app won’t let you do so, why would you trust one that claims to have discovered a workaround? In particular, don’t pay much, or even any, attention to the crowd-sourced ratings on app download sites, including Google Play itself. Those reviews could have been left by anyone.
  • Regularly remove apps that you don’t really need or aren’t using much. Loosely speaking, the more apps you have on your phone, the bigger your attack surface area, and the more likely you’ll end up giving away personal data you didn’t mean to. Why give house room to apps that aren’t serving a clear and useful purpose?

Be especially wary of apps that claim they’re only available on alterntive download sites for intriguing sounding reasons such as “Google doesn’t want you to have this app because it reduces their ad revenue”, or “this investment app is by invitation only, so don’t share this special link with anyone”.

There are many legitimate and useful apps that don’t align with Google’s business and commercial rules, and that will therefore never make it into the competitive world of Google Play…

…but there are many, many more apps that get rejected by Google because they clearly contain cybersecurity flaws, either due to programmers who were lazy, incompetent or both, or because the creators of the app were unreconstructed cybercriminals.

As we like to say: If in doubt/Leave it out.


5 Comments

I think there’s pretty much no such thing as a cybersecurity app on Android.

On the average Android device where all apps are sandboxed and without root access, how cans your (and others’) security app control what other apps are allowed to do?

You would need a lower-level filter like antivirus software on Windows does.

Trying to make antivirus apps for Android as it is by default is like trying to make a Windows antivirus that doesn’t need admin rights or kernel privileges to work.

Even if other malicious apps can’t get ‘admin rights’ either, if a malicious app starts abusing the app uninstall window to disable its uninstall button, then uninstalls systematically security apps, what can you do to force it out?

I think that your Sophos cybersecurity app is probably a malicious website blocker & a static Android app scanner only?

I recognize you also have a password manager and authenticator inside, but security-wise you can’t do much to protect users if a malicious app already started locking / disrupting their screen, and such.

I think the better advice for average users is to know about Android’s ‘safe mode’ which loads only system apps.

From there you can disable Device Admin privileges for any user-installed app & uninstall the bad apps without them trying to stop you from removing them.

It’s not the Android recovery, it’s like the F8 safeboot on Windows.

It cans be accessed by pressing a menu or back button during the Android boot animation for example.

Reply

Thanks for your comments about our app and how you think it works.

As you say, there are limitations imposed by Google on what third party apps can do, but they don’t limit the app as much as you seem to think, and the app isn’t as restricted in its proactive prevention as you seem to assume.

In my opinion the app provides a decent amount of additional security over Android itself against downloading and running rogue apps (in real or near-real time, not just via a reactive static scan).

The app *does* need, and uses, more privileges than a normal app, which you need to assent to (in the same way you need to authorise Windows to install admin-level or kernel-driver apps).

So let’s just agree that you haven’t yourself tried our app, and that you aren’t going to try it because it’s not your cup of tea, because you don’t think it will do anything useful for you, and because you have other manual security interventions that you prefer to use instead.

That’s fine, not least because if everyone took exactly the same precautions we would present an easier collective target (a monoculture, I guess) for the crooks.

But let’s leave other people to try the app for themselves if they want, to see if it provides the sort of automatic additional protection they find useful.

Most users (in Western countries, at least) aren’t at huge risk of downloading random Android malware, but many users nevertheless install our app (or other vendor’s apps) because they find the real-time, proactive protection against suspicious apps and network destinations useful.

Safe mode is worth knowing about, but it’s largely a manual, reactive tool used for correcting security problems that have already occurred.

Many users also want automatic, proactive “badware” blocking (and removal) because they find it quicker and more effective, and because it can prevent attacks, not merely help you recover from them afterwards.

Reply

> This isn’t a new technique (legal action by IT industry giants has helped to take down malicious websites and malware distribution services before)

…and occasionally not-so-malicious software (e.g. small mom & pop shops)
/MicrosoftRant

Reply

Not sure which incidents you’d referring to… but there have been cases where hosting companies have ended up getting blocked, thus affecting legit and dodgy customers alike. Sometimes the hosting companies cry foul, but given that it’s a court issuing the blocking order, perhaps the court figured that the hosting service was simply not being careful enough about whom they were prepared to take money from. What you might call a “one rotten apple might not spoil the barrel but there’s no need to wait until the whole barrel is rotten before deciding to act” approach…

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!