Pavel Durov said that everyone urgently needs to remove WhatsApp from smartphones and other devices.

Indeed, there have been many questions about the security and confidentiality of this messenger. We will collect all the important information on this topic so that you know what dangers can await in the most popular messenger.

Finding out what’s wrong with WhatsApp.

Pavel Durov said: WhatsApp is a Trojan

Not only does WhatsApp fail to protect your WhatsApp messages, but it is also constantly used as a Trojan to spy on non-WhatsApp photos and messages. Why would they [developers] do this? Facebook was part of surveillance programs long before it bought WhatsApp. 

The Telegram developer emphasized that all bugs found in WhatsApp are ideal for spying on users. And if you remember the duck test ( if it looks like a duck, swims like a duck and quacks like a duck, then this is probably a duck ), then you really want to get rid of the application.

According to Durov, “Facebook and WhatsApp shared almost everything with those who claimed to be working for the government.” Oh. 

Israelis Achieve Impressive Success in Hacking WhatsApp

In May 2019, cybersecurity experts found a hole in WhatsApp’s voice calling system that was being used to spy on activists. This worked on both Android and iOS. 

The malware was developed by the Israeli company NSO Group. It allowed installing spy applications on a smartphone with WhatsApp. 

To hack the smartphone, the hackers simply called the victim via WhatsApp. The application automatically answered the call – without the owner’s knowledge! Then the smartphone was loaded with spyware to steal data. Call records were deleted so that no one would suspect anything. 

WhatsApp acknowledged the problem. The developers compared the malware code with other NSO Group developments and came to the conclusion that the handwriting is indeed the same. Then they developed a security patch in four days and asked all users (1.5 billion people, just a minute!) To install it. 

How does the Israeli NSO Group make money?

The main product of the company is Pegasus. This is software that is able to turn on the camera and microphone of a smartphone, view e-mail and messages, and collect geolocation data. 

The main customers of Pegasus are intelligence agencies of the Middle East, USA, Western Europe and other regions. Formally, software is used at the behest of the government to counter terrorism and prevent crime. 

When everyone knew about the problem with WhatsApp, the NSO Group threw up their hands. Say, we check all customers and investigate cases of abuse. We are not hunting for human rights defenders, which means that we are not guilty of anything and have not violated anything. 

How much the Pegasus costs is unknown. The NSO Group itself is estimated at $ 1 billion. 

Another thing is funny: after the patch was released, a lawyer from London announced an attack similar to the use of NSO Group software. He defended a Saudi dissident and Mexican journalists who had previously also been attacked using the same software.

But it was not possible to obtain data from the lawyer’s smartphone. So the patch still works . 

The lawyer also helped the victims of the attack sue the NSO Group. He stated that the developers should share the responsibility for the hacking with their clients. 

Since the NSO Group exported software abroad, the Israeli Ministry of Defense also made a complaint. But the lawyers are convinced: the ministry knew about Pegasus’ capabilities before , so this is a showcase. 

How WhatsApp works is generally unknown

WhatsApp is a closed source messenger. In general, this is normal for commercial applications. But open-source products inspire more trust. 

In WhatsApp, you cannot see how the new version differs from its predecessor. Can’t analyze the code and find backdoors. 

Experts look for vulnerabilities in WhatsApp based on the behavior of the finished product. This does not give the full picture.

What’s more: the WhatsApp developers are obfuscating the code . It is deliberately confused to complicate analysis. 

Most likely, this was done at the request of the special services. WhatsApp and parent company Facebook could be required to leave backdoors in the software . And if the companies sent a nondisclosure order to the FBI (the so-called Gag order ), Zuckerberg cannot even complain to the public.

WhatsApp was originally full of security holes

The creators of WhatsApp have stated that ” security is in its DNA .” But everything turned out to be exactly the opposite

For example, in 2011-2012, even mobile providers and Wi-Fi hotspot administrators could access your WhatsApp correspondence. At one time, encryption keys could be changed right in the chat. It is unlikely that the company’s testers did not notice this. 

When standard encryption was introduced, the keys were made available to some governments. But no one encrypted the backups of the data that had been persistently suggested to be stored in the cloud.

End-to-end encryption, which was integrated in April 2016 and is used today, also does not protect against data theft. For example, the developers admitted that backups to Google Drive were uploaded without encryption.

Yes, the messenger also passed the metadata of the conversations to the authorities. From them, you can understand when and with whom you communicated. 

And back in 2013, researchers found that WhatsApp copied all mobile phone numbers from the address book to its servers. Formally, to show which of them has already installed WhatsApp. Really … anything could be done with this data. 

The WhatsApp servers also got the numbers of users who did not install the application. In addition, an unreliable scheme was used when sending. You can decrypt data even on a home laptop in three minutes. 

Hacking WhatsApp Proven Top Level

An investigation into Paul Manafort, campaign manager for Donald Trump and adviser to fugitive Ukrainian President Yanukovych, confirms that the messenger is full of surprises. Manafort’s WhatsApp messages were pulled from iCloud

Apparently Apple gave the FBI access to the iCloud policy by court order. 

And WhatsApp had to hand over encryption keys, which allowed agents to read Manafort’s correspondence. As a result, he was found guilty on several charges and imprisoned for seven and a half years. 

The founders of the messenger stopped believing in WhatsApp 

Facebook bought WhatsApp in February 2014 for $ 22 billion . In September 2017, WhatsApp co-founder Brian Acton left the company.In April 2018, Yan Borisovich Kum did the same – due to doubts about the privacy of user data. 

In March, following the Cambridge Analytica scandal, Acton called for the removal of Facebook and the company’s other products. He also stated that Facebook reluctantly agreed to end-to-end encryption on WhatsApp. 

Indeed: if a company has admitted that for years it has stored hundreds of millions of Instagram passwords in plain text (!!!), then everything can be expected from it. The data was available to 2 thousand developers . Could someone have leaked this data? A rhetorical question. 

Acton also expressed regret at agreeing to the Facebook deal:

I have sold my users’ privacy for great value. I made a choice and made concessions. And I have to live with it every day.

Acton added that what happens to encryption in WhatsApp after the sale is unknown. Somehow I can’t believe that it has been dramatically improved . 

WhatsApp can steal your data right now

A new high-profile scandal with WhatsApp began on October 3. The vulnerability threatens WhatsApp (versions up to 2.19.244) on Android, starting from version 8. 

It works like this:

  1. The hacker sends a GIF file to the victim : as a document or simply in a chat, if the attacker is in the victim’s contact list. In the second case, the GIF will even automatically download.
  2. When the victim wants to send a media file to someone, they will click on the paperclip icon and open the gallery to select the file. 
  3. WhatsApp shows previews of media files in the gallery. This will serve as a trigger and launch the malware.
  4. Profit! Now the hacker can run arbitrary code on the victim’s smartphone. 

WhatsApp 2.19.244 solved the problem. 

But on November 14, experts found another hole (and Facebook recognized it ). The bug exists in WhatsApp up to 2.19.274 for Android and in iOS version up to 2.19.100. 

The developers did not reveal too many details. They only noted that the vulnerability is related to the way WhatsApp parses the metadata of mp4 video files . 

If the bug is exploited, it is possible to achieve execution of arbitrary code on the smartphone or denial of service (when the gadget cannot be used). 

If you haven’t updated yet, it’s about time. 

And what about Telegram itself

With Durov’s messenger, security is also not very smooth. Here we figured out what was the matter. 

In short, Telegram also uses end-to-end encryption . In private Telegram chats, only participants really have keys; in ordinary (cloud) chats, theoretically anyone can get the key . 

Telegram end-to-end encryption has been circumvented more than once . Yes, and other vulnerabilities were discovered. For example, in both WhatsApp and Telegram, it was possible to hide the malicious code in the image and send it to the victim, and then gain full access to her account. 

And in general: in September, expert Diray Mishra discovered that files deleted in Telegram remain on the device after you click the “Delete for all” button in the chat. So if you mistakenly forward your nudes to the boss, and then immediately delete them, the boss can still review them as much as he wants. The photo will be saved in a folder on his smartphone when received. And hackers will be able to access files on the device.

Telegram acknowledged the problem. For the found bug, Mishra was paid 2500 euros as part of the bug bounty program. 

WhatsApp has the same feature. And it works as it should. 

Well, people write programs. And people are wrong. More often than we would like.

The only difference is that WhatsApp cooperates with the authorities, while Telegram claims that it does not cooperate . 

So what’s now?

If you only have WhatsApp for grocery lists and school chats, generally you don’t have to worry. But you shouldn’t transfer confidential information and nudes through it. 

Telegram is still safer than WhatsApp. And Signal is perhaps safer than Telegram.

There are also Wire, Threema and other products. But there are no absolutely secure messengers .