TransWikia.com

WhatsApp account got "hacked"/hijacked?

Information Security Asked by d.a.vorm on October 28, 2021

I was on a WhatsApp call with my friend (Alice) when the call suddenly dropped. I then immediately opened my chats and noticed an alert in a mutual group that said “Your security code with Alice changed, because their account was registered on a new device”. At this point Alice was logged out of her account on her phone. She then tried to log back in, with WhatsApp sending the verification SMS, and she was able to log back in (at which point I received another alert about the security code changing). Barely a minute passed when Alice was logged out of her account again. She then tried to log back in but WhatsApp said “Your phone number +xxxxx is banned from using WhatsApp. Contact support for help”.

We’re genuinely perplexed. Just to be clear this whole story from start to finished happened so quickly, within a span of around 5-10 minutes. Neither of us are high profile / high value targets. We’re just regular people. Unfortunately she did not turn on the “Two-step verification” feature that requires a PIN when re-registering the number – as a security enthusiast I’m kicking myself for not checking this with her.

So my questions:

  1. What the **** happened here??? I read that WhatsApp usually bans numbers reported for spam. She definitely did not spam anyone ever. In fact this was a secondary number she used very rarely with other people. Could it be that someone somehow used her number and sent spam so quickly the number was banned within 5 minutes?
  2. The only way for someone to use her number on WhatsApp is to have access to the verification SMS. I thought this could have been a SIM swap attack, but her SIM card is still usable as normal. Wouldn’t a SIM swap result in her card being dead? (and no, she did not receive any verification SMS before this happened. And she knows enough not to give the code to anyone anyway)
  3. Or could it be that they’ve been using her number for a while and been sending spam for a while? Unlikely, as far as I know WhatsApp only allows 1 device to be logged in at any time.
  4. How worried should we be? What data does this “hacker” have? I’m really concerned about the possibility of #3, if it meant that this adversary could have had access to all our messages for an unknown time span.
  5. Any mitigation steps we need to take? I’ve already removed the number from all shared groups and she has emailed WhatsApp support, if that does anything.

Edited to add more information in response to Jackson’s answer:

I am 100% sure Alice herself never violated any terms of use. So if that was the cause then someone else used her account.

Yes I considered malware on her phone, but it is unlikely, although not impossible. That phone is relatively new, and I have taught her quite well on good security practices – never reuse passwords, never install unknown apps, never open unknown links, never use public wifi, never open unexpected email attachments, etc. As far as I know her phone is not being synced or backed up to any servers. At most it’s probably connected to Google Drive, and her account is secured with 2FA. I will try to find out whether the service provider supports MultiSim or not.

She never leaves her phone unattended, and only ever uses WhatsApp Web on her personal computer at home. Although I can’t guarantee her computer is secure.

Suppose bob has a trojan on Alice. Then he probably has access to everything on the phone.
Suppose bob has a whatsapp web connection of Alice then he has access to all her whatsapp conversation
Suppose bob is just spoofing Alice number then really not that much to worry. He just spoofing her no data breach. Hopefully nothing done illegally though

If any of these were the case, why was Alice logged out of her account? It would be in Bob’s best interest to remain undetected.

One Answer

What the **** happened here??? I read that WhatsApp usually bans numbers reported for spam. She definitely did not spam anyone ever. In fact this was a secondary number she used very rarely with other people. Could it be that someone somehow used her number and sent spam so quickly the number was banned within 5 minutes?

There are many reasons she could have been banned. Mainly any violation of whatsapp terms of use policy can result in a ban. see here. Also, here is a short extract of a post from indiatoday

As per the WhatsApp guidelines, WhatsApp only sends out this message to its users when the basic code of conduct is violated by the user. What is this violation? WhatsApp bans accounts when a user sends obscene, defamatory and threatening messages to another user. However, it is entirely on WhatsApp to decide what it constitutes obscene, defamatory and threatening message.

Users are also banned when they promote violence on the app or create a fake account of someone. Another way one can get banned on WhatsApp is by sending too many messages to users, who are not added to his contact list. This may seem like a trivial issue but more often people have complained of getting messages from unknown people and that can be really bothersome at times. Basically, if you are spamming from your number, you may get banned. These bans are often permanent.

Moving on

The only way for someone to use her number on WhatsApp is to have access to the verification SMS. I thought this could have been a SIM swap attack, but her SIM card is still usable as normal. Wouldn't a SIM swap result in her card being dead? (and no, she did not receive any verification SMS before this happened. And she knows enough not to give the code to anyone anyway)

Have you considered spywares or trojans on her phone? Also you can duplicate sim without disabling the first sim using MultiSim. This depends on your service provider. Furthermore, SMS was never secure in the first place. See here

Or could it be that they've been using her number for a while and been sending spam for a while? Unlikely, as far as I know WhatsApp only allows 1 device to be logged in at any time.

It is possible.

  1. Suppose Malicious Bob had access to Alice phone at one point in time and decided to log in to whatsapp web with Alice phone
  2. Suppose Alice decided to log in to whatsapp web on someone else PC and forgot to log out and Bob found that computer
  3. Suppose Bob found the whatsapp public master key of Alice and decides to send text on behalf of Alice. It should be possible. You can reference such attacks here

How worried should we be? What data does this "hacker" have? I'm really concerned about the possibility of #3, if it meant that this adversary could have had access to all our messages for an unknown time span.

Probably very.

How much he has depends.

  1. Suppose bob has a trojan on Alice. Then he probably has access to everything on the phone.
  2. Suppose bob has a whatsapp web connection of Alice then he has access to all her whatsapp conversation
  3. Suppose bob is just spoofing Alice number then really not that much to worry. He just spoofing her no data breach. Hopefully nothing done illegally though

Probably more possible cases but you get that the question is generic and dependent on the cause of the breach which is unknown as of now.

Any mitigation steps we need to take? I've already removed the number from all shared groups and she has emailed WhatsApp support, if that does anything.

Once again depends on the cause of breach.

I'd be more worried about trojan or multisim so

  1. factory reset the phone
  2. enquire with your service provider as well
  3. ensure no logins on whatsapp web services.
  4. Also i'd check if alice phone is being synchronized or backed up to any remote server since it is a possible point of entry.

Answered by Jackson on October 28, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP