WhatsApp hijackers take over your account while you sleep

Late last week, Twitter user Zuk (@ihackbanme) tweeted an issue about WhatsApp that has the potential to turn heads.

He explains that attackers can take advantage of two things: a user’s availability and how identity verification works on WhatsApp.

A user who is not available to respond to verification checks—whether they’re asleep, in-flight, or have simply set their smartphone to “do not disturb”—may be at risk of losing their WhatsApp account. All an attacker needs is their target’s phone number.

Here’s how it works. 

The attacker attempts to log in to a WhatsApp account. As part of the verification process, WhatsApp sends an SMS with a PIN to the phone number tied to the account.

The user is unavailable so doesn’t realise there is a suspicious login. The attacker then tells WhatsApp that the SMS didn’t arrive and asks for verification by phone call.

Since the account owner is still unavailable and cannot pick up the call, the call goes to the number’s voicemail. Knowing the target’s phone number, the attacker then attempts to access their voicemail by keying in the last four digits of the user’s mobile number, which is usually the default PIN code to access the user’s voicemail.

The attacker then has the WhatsApp verification code, and can use it to access the victim’s WhatsApp account. They can then set up their own 2FA (two-factor authentication) on it, leaving the actual owner locked out of their own account.

Once the account has been hijacked, the attacker could use it to hijack accounts of the user’s contacts, spread malware, or hold the account hostage until the owner pays up to get it back.

How to protect your own WhatsApp account

This isn’t a new tactic, and has been around for a while, but there are two pretty simple things you can do to avoid it happening to you.

1. Change the default PIN of your voicemail.

2. Enable two-step verification on your WhatsApp account:

  • Open Settings.
  • Tap Account > Two-step verification > Enable.
  • Enter a six-digit PIN.
  • Enter an email address, or tap Skip if you don’t want to. WhatsApp says it recommends adding an email address so you can reset two-step verification if you need to.
  • Tap Next.
  • Confirm the details and tap Save or Done.

Stay safe!


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

https://blog.malwarebytes.com/feed/