WhatsApp can’t seem to catch even a moment’s breath before something goes wrong. Ever since its introduction of an unfortunate policy change to the platform’s Terms of Service, there’s been a constant stream of users jumping ship and migrating to other competitors such as Signal or Telegram. While WhatsApp finally called the policy change off and delayed it until May 2021, it’s now got a new adversary to quickly deal with before even more people decide to bid adieu to the social media communication app. That very antagonist comes in the form of a worm virus masquerading as an innocuous Huawei mobile app.
According to Lukas Stefanko a mobile security researcher, the malware initiates via a WhatsApp message sent to users, with a link attached that redirects to a fake Huawei mobile app. Clicking the link will then take users to a fake Google Play setup (at this point, one might as well assume they’re on The Truman Show). Finally, upon installing the application, our worm gets to burrowing. The app (deemed wormable since it’s yet to develop worm-like qualities), asks for access to notifications. It then abuses the granted permission and uses WhatsApp’s quick reply feature to instantly redirect the original link to anyone that messages its host phone. Other than access to notifications, the wormable also requests background running capabilities. If provided with them, the wormable can now plant itself over other apps and siphon off valuable and highly sensitive information, such as credentials, documents, etc. The forwarded messages, if sent to enough people via an active phone, then go on to continue the vicious cycle of malware spread which is automated enough to not even require active human propagation. The AI revolution, ladies and gentlemen. Much more subtle than we thought it’d be.
While the wormable’s instigators are still very much at large, there are quite a few factors users can utilize in protecting themselves from such attacks. The first, rather obviously, is not clicking on the link. It’s the 21st century. If anyone sends over an unprompted and unfamiliar link to something entirely out of context, the only decision should be to ignore it. If it’s important, the sender will probably explain themselves in a few minutes. The second factor is the malware’s limited spread, since it’s currently only self-propagating via WhatsApp. However, the wormable might just be upgraded to utilize other Android apps with a quickly reply feature. Therefore, exercising caution is a necessary step and perhaps the best defense users have against such attacks is to use only official websites and apps from authorized vendors and stores instead of depending on third-parties.