It took Wuraola Onyeku about three weeks to realise that her partner was logged in to her WhatsApp account on his desktop. The first time she opened her WhatsApp after a night out with her friends to find herself in the middle of a conversation she couldn’t remember typing, she blamed the alcohol. The second time it happened, she blamed her poor memory on fatigue as she didn’t drink any alcohol.
“I was always getting responses to messages I couldn’t remember sending, and at a point, I strongly believed I had a health condition that made me forget things easily,” she shared.
Two years ago, WhatsApp made the news as thousands of accounts were compromised in a worldwide hack incident facilitated by WhatsApp calls. In recent months, WhatsApp hacks have resurfaced as hackers are discovering more insidious ways to infiltrate the app’s security. Tons of people have complained about their accounts being hacked and the Nigerian Communications Commission(NCC) has put out an advisory for users to be more careful with the platform as it has become the “main” target for hackers.
There are several new methods that hackers are deploying to gain access to accounts. Some of the most popular methods include malware embedded in spam messages and links, as well as a call-forwarding hack. The victims can range from close friends and family to random people they find in WhatsApp groups.
According to Adesola, a cybersecurity expert, the call-forwarding method involves calling victims and tricking them into calling certain man-machine interface (MMI) codes, which instruct your devices to perform specific actions.
“They essentially want to forward calls from the victim’s number to their own number, so when they try to re-register the WhatsApp account using their target’s phone number, they choose the option of a phone call to verify the phone number instead of choosing the OTP option,” he shared.
Other methods are more straightforward, like in the case of Onyeku. In April 2023, WhatsApp rolled out a new feature that allows users to operate one account on four devices. This feature means that malicious people can use your phone to scan a code on their laptops and will be logged into your account. Unlike other methods where the main owners are logged out, this allows you to use the account simultaneously.
According to Onyeku, she didn’t think about the possibility of someone else sending it because it didn’t feel like a hack as she was still logged in to her account, and she lived alone.
“I would have never suspected that someone else was using my account with me, much less my partner if he hadn’t confessed to it,” she shared.
One evening, Ganiu Oloruntade, a reporter living in Lagos received a call from a strange number asking if he belonged to a particular WhatsApp group which he confirmed. They further asked him to call out a certain number, which he refused to do. Seconds after he ended the call, he realised that he couldn’t access his WhatsApp account. In the two hours it took for him to recover his account, he kept receiving calls from friends informing him that he was distributing a broadcast message and requesting money.
“It was easier to recover it because I had the 2-factor authentication set up, but they already sent messages to all the groups I was a part of and received money from some people. I think they pick numbers from WhatsApp groups and call you to get your voice and send you a code,” he said.
Meta has been committed to expanding WhatsApp from an intimate messaging platform to a wider messaging app with “communities” and “channels” features, which puts more users at risk as it exposes phone numbers to a larger group. While the 2-FA can protect users from some hacks, there are more advanced ones that it fails to guard against. According to Adesola, there have been a lot of vulnerabilities on the platform in the past years and some still exist.
“When discovered, WhatsApp patches the vulnerability and sends a prompt to users to update their WhatsApp so that the changes they have made to curb the vulnerability can be effected,” he shared.
Have you got your tickets to TechCabal’s Moonshot Conference? Click here to do so now!