WhatsApp goes after Chinese password scammers via US court

If you can’t beat ’em, sue ’em!

Actually, the original quote doesn’t quite go like that, but you get the idea: if you can’t stop people downloading bogus, malware-tainted apps that pretend to be backed by your powerful, global brand…

…why not use your powerful, global brand to sue the creators of these rogue malware-spreading apps instead?

This isn’t a new technique (legal action by IT industry giants has helped to take down malicious websites and malware distribution services before), and it won’t stop the next wave of perpetrators from taking up where the last lot left off.

But anything that makes it more difficult for malware peddlers to operate in plain sight is worth a try.

WhatApp on the offensive

WhatsApp, together with its parent company Meta, has started legal action against three companies whom it claims “misled over one million WhatsApp users into self-compromising their accounts as part of an account takeover attack.”

Loosely speaking, self-compromise in this context refers to app-based phishing: create a bogus login dialog that keeps an unauthorised copy of anything you enter, including personal data such as passwords.

As you can probably imagine, and as WhatsApp claims in its court filing, the primary value of these compromised accounts to the alleged infringers was that they could be used for “sending commercial spam messages”.

Unlike the email ecosystem, where anybody can email anybody (or, in the case of bulk message senders, where somebody can email everybody), messaging and social media apps such as WhatsApp are based on closed groups.

This sort of online world isn’t anywhere near as easy for spammers and scammers to infiltrate.

Indeed, we know plenty of people who hardly use email at all any more, preferring to communicate with friends and family via exactly this sort of closed group, mainly because it sidesteps the flood of intrusive and unwanted garbage they face via email.

Of course, the flip-side of a closed-group messaging ecosystem is that you’re more likely to believe, or at least to take a look at, stuff you receive from people you know.

You’re unlikely to open documents or click on links that clearly came from an email sender you’ve never met before, don’t want to meet, and never will…

…but even if you know that your cousin Chazza is prone to sharing groanworthy memes and eyebrow-lifting videos, you probably still take a look at them, because you know what to expect already, and, hey, it’s your cousin, not some totally random online sender.

In other words, if scammers can get into to your social media accounts, they not only get access to your people-I’m-happy-to-chat-to list, but also acquire the ability to spam that list of people-who-are-happy-to-hear-from-you with messages that were apparently sent with your blessing.

IUnfortunately, it’s not enough just to trust the sender, because you have to trust the sender’s device and their account as well.

Social network spamming and scamming based on compromised accounts is a bit like Business Email Compromise (BEC), where crooks go to the trouble of getting access to an official email account inside a company.

This means they’re in a position to trick the employees of that company much more convincingly than they could as outside senders:

Named and shamed

WhatsApp named three companies in the lawsuit, operating in South East Asia under three different brand names.

The companies are Rockey Tech HK Ltd (Hong Kong), Beijing Luokai Technology Co. Ltd (PRC), and Chitchat Technology Ltd (Taiwan).

The brand names under which WhatsApp alleges they peddled fake apps and addons are HeyMods, Highlight Mobi, and HeyWhatsApp.

Very simply put, WhatsApp is arguing that the defendants knew perfectly well that their behaviour did not comply with Meta’s various terms and conditions, and that the purpose of violating those terms and conditions was to get access to and abuse legitimate users’ accounts.

The court document filed by WhatsApp includes a screenshot of the allegedly rogue app called HeyWhatsApp Android that ended up on alternative Android download market Malavida, where the app description quite openly warns users:

WhatsApp does not authorise the user of these [modification tools] at all, so downloading HeyWhatsApp […] can lead to being banned from the service […] Neither does it guarantee correct functioning, meaning that we often encounter a lack of stability.”

Other rogue apps in the lawsuit, says Meta, were available in the Google Play Store itself, meaning not only that they received Google’s official imprimatur, but also potentially reached a much wider audience (and probably an audience with more cautious attitudes to cybersecurity).

One of these apps was downloaded more than 1,000,000 times, say the plaintiffs, and a second app exceeded 100,000 downloads.

As WhatsApp wryly states, “Defendants did not disclose on the Google Play Store or in its Privacy Policies that this application contained malware designed to collect the user’s WhatsApp authentication information.”

(As an equally wry aside, we can’t help but wonder how many people would have installed the app anyway, even if the defendants had admitted in advance that “this software steals your password”.)

What to do?

  • Avoid going off-market if you can. As this case reminds us, plenty of malware makes it past Google Play’s automated “software vetting” process, but there are at least some basic cybersecurity checks and balances applied by Google. In contrast, many off-market Android download sites quite deliberately take an “anything goes” approach, and some even pride themselves on accepting apps that Google rejected.
  • Consider a third-party cybersecurity app for your Android. Apps from cybersecurity specialists help you detect and block a wide range of rogue websites and malicious apps, even if Google’s Play Store lets them through. (Yes, Sophos has one, and it’s free.)
  • If it sounds too good to be true, it is too good to be true. Do you really need to change the WhatsApp colours? If the official app won’t let you do so, why would you trust one that claims to have discovered a workaround? In particular, don’t pay much, or even any, attention to the crowd-sourced ratings on app download sites, including Google Play itself. Those reviews could have been left by anyone.
  • Regularly remove apps that you don’t really need or aren’t using much. Loosely speaking, the more apps you have on your phone, the bigger your attack surface area, and the more likely you’ll end up giving away personal data you didn’t mean to. Why give house room to apps that aren’t serving a clear and useful purpose?

Be especially wary of apps that claim they’re only available on alterntive download sites for intriguing sounding reasons such as “Google doesn’t want you to have this app because it reduces their ad revenue”, or “this investment app is by invitation only, so don’t share this special link with anyone”.

There are many legitimate and useful apps that don’t align with Google’s business and commercial rules, and that will therefore never make it into the competitive world of Google Play…

…but there are many, many more apps that get rejected by Google because they clearly contain cybersecurity flaws, either due to programmers who were lazy, incompetent or both, or because the creators of the app were unreconstructed cybercriminals.

As we like to say: If in doubt/Leave it out.