Once you’ve read a few (kind of) tutorials about how to hack WhatsApp, are you afraid that someone could easily snoop into your account and spy on all your conversations? Well, taking care about your privacy is a good thing, but you don’t have to get too paranoid. Spying on WhatsApp chats is not something impossible, since, in theory, all the informatics systems can be “violated”, but fortunately the situation isn’t really that desperate.
Thanks to the last developments in terms of encryption, WhatsApp conversations have become much harder to intercept than before, and it’s almost impossible to “catch” them without having any access to the victim’s phone. This means that with just a bit of prudence, by correctly setting your own smartphone, and avoiding connections to public wifi networks, you can reasonably rest easy. Would you like to know more? Good, so keep on reading. I’m going to show you the main techniques used by cybercriminals to hack WhatsApp account, and the best way to defend yourself.
Warning: spying others’ conversations is a crime, punishable by law. This tutorial has been written for illustration purposes only, therefore I’m not responsible at all about any use you will make of the information contained in it.
WhatsApp protection systems
To find out what are the main techniques used by criminals to hack WhatsApp, we must first understand how the app works, and which are the protection systems adopted by it.
WhatsApp uses a so called end-to-end encryption system (that means: from point to point) that allows the legitimate senders and recipients only, to read the contents of the conversations: information gets transmitted in encrypted way, from the sender’s phone to the WhatsApp servers, in order to get to the recipient’s phone, in encrypted form still.
This technology is based on a pair of keys, linked each other: one is public, one is private. The public key is shared with your own interlocutor and provides to encrypt outgoing messages, while the private one is located only in each user’s smartphone, and decrypts incoming messages.
To be more precise, this end-to-end system is called TextSecure. It’s open source, and has been developed by Open Whisper Systems company, which announced its collaboration with the famous texting service in November 2014.
This means that previously WhatsApp didn’t use the same protection. It used an encrypting system based on the RC4 algorithm, which worked for outgoing messages only (from sender’s phone to the service servers) and is much easier to attack, for who is willing to hack it.
Some tests made by the security company Heise during April 2015, have demonstrated that the end-to-end encryption has not been adopted at the same time on all WhatsApp versions. At that time, it was available on Android systems only, while the other software platforms still used RC4 algorithm.
Moral of the tale? WhatsApp should be now fairly secure, the end-to-end encrypting system doesn’t allow ill-intentioned ones to get our conversations through activities like wireless networks sniffing (that is the monitoring of the network to which the smartphone is connected), but unfortunately there are a few unknown factors that we need to consider.
First of all, WhatsApp is a closed source software, so we can’t deeply examine its source code, and can’t even know if the end-to-end encryption has been perfectly implemented. Currently it should work on all the main mobile platforms, but, waiting for more specific tests, we can’t be totally sure about the inviolability of the app.
Moreover, there are a few other techniques, less sophisticated than wireless sniffing, but currently more effective, which allows you to “spy on” WhatsApp, and against which we must stay on guard.
Let’s take a look at some of the most popular ones:
Hacking WhatsApp Web
You know whatsapp web, don’t you? It’s an online service that lets you use WhatsApp from the computer, without installing any specific software. I’ve also told you of it in my tutorial about WhatsApp for PC.
WhatsApp web can save the user identity, so after the first login you don’t need to authenticate anymore, and it works even if the smartphone and the PC are not connected to the same wireless network (you just need the phone to be connected to any wifi or mobile data network, like 3G or LTE).
These “hints” make you easily understand that any ill-intentioned user could get or borrow your phone with any excuse, use it to access WhatsApp Web on his computer (they just need to scan a QR code through its camera) and start spying on your messages continuously, without your knowledge.
How to protect yourself – to avert this kind of threat, first of all avoid lending or giving your smartphone to strangers (or people you do not particularly trust). Secondly, check every once in a while the active WhatsApp Web sessions on your account.
If you do not know how to do that, just launch WhatsApp and tap on Settings > WhatsApp Web. If you notice a suspicious open WhatsApp Web session, tap on Log out from all computers (and then on Log out) to revoke the authorization to all PCs connected to WhatsApp Web with your account.
Following the above steps you will take out all the eventual snoopers who, at that point, will have to rescan the QR code with your smartphone to access your conversations.
WhatsApp clone copies
An additional way to hack WhatsApp – a strategy which is quite popular among cybercriminals – is installing a “clone” copy of the app. What does “clone” copy mean? I will explain it right away.
A prowler could successfully install WhatsApp on his smartphone and access your account undisturbed – evading all verification systems in the process – simply by masking their smartphone’s MAC address.
A MAC address is, in fact, a string of numbers which uniquely identifies any device able to connect to the Internet. WhatsApp uses it, together with mobile numbers, to verify the identity of all users.
Now, if someone with a higher than average IT knowledge manages to get their hands on your smartphone and find out its MAC address (which you can freely access on the Info menu on any OS), they can then use various apps (e.g. BusyBox and Mac Address Ghost on Android) to mask their own MAC address and make it look like yours.
At this point, the aforementioned “snooper” can install a copy of WhatsApp on their phone, activate it using your mobile number (therefore having an SMS with a verification code delivered to your device) and use the service pretending to be you, getting full access to your conversations.
How to protect yourself – as we have just discussed, cloning a MAC address is not such a complex thing to do in itself (you just need an average IT knowledge to do it). However, in order to succeed in the hacking attempt, the snooper needs to gain physical access to the victim’s smartphone – and have quite a bit of time on their hands.
The best measures to avoid this kind of risk are those that call for a bit of common sense: use a secure PIN and deactivate SMS screen lock previews on your smartphone (making it impossible to view the potential WhatsApp verification code without unlocking your phone).
To set a secure (hard to guess) PIN on your smartphone follow these simple instructions.
- If you have an Android phone – go on Settings > Security > Screen lock and tap on PIN to set a numeric PIN or tap on Pattern instead if you want to set a pattern.
- If you have an iPhone – go on Settings > Touch ID & Passcode and select Change Passcode.
Here are the instructions to deactivate SMS screen lock previews.
- If you have an Android phone – go on Settings > Security > Screen lock and set your PIN or pattern. After that, choose to hide any sensitive content on your screen lock and you are set to go.
- If you have an iPhone – go on Settings > Notifications > Messages and untick Show on “Screen lock“.
What if someone with a shallower IT knowledge tried to activate a new copy of WhatsApp using your mobile number? Without cloning your MAC address first this would turn out to be quite a useless thing to do.
In fact, WhatsApp only lets you pair a mobile number with a single smartphone at a time. This means that the rightful owner of the account could fully regain their identity simply by reactivating WhatsApp on their smartphone. The snooper’s phone would then automatically lose access.
Another danger you need to be wary of is spyware: usually invisible to the eye of the user, they are capable of hacking WhatsApp by means of keystroke logging, taking screenshots and sending other information to third parties.
There are many different kinds of spyware: some are highly professional (you have to buy them) and are clearly designed to spy on users. Others are available for free with the official purpose of being used as parental control tools, or in case you lose your phone or it gets stolen – but can be tweaked and used as fully functional spying tools.
How to protect yourself – to install any kind of spyware on your phone, the attacker must have physical access to the device, therefore all pieces of advice I gave you earlier still apply (starting with setting a secure PIN).
Additionally, you could try to take a look at the list of apps installed on your smartphone. If you notice any suspicious app, get rid of it immediately.
· If you have an Android phone – go on Settings > App and tap on All to view all apps installed on your phone.
· If you have an iPhone – go on Settings > General > Storage & iCloud Usage > Manage Storage to view all apps installed on your device.
Unfortunately, as I have already told you, spyware is usually invisible to the user. This means that some kind of spyware could be installed on your phone without showing up on the aforementioned lists.
If you are in that kind of situation, and you are sure your phone is under remote control, the only working solution is formatting your device and reinstalling everything from scratch. For more info on this procedure (drastic but effective) check out my guides on how to format Android and how to reset an iPhone.