Hackers are now using spyware to attack WhatsApp and other messaging accounts. The new warning from America’s cyber defense agency puts WhatsApp account hacks front and center again. Do not lose your account — all users must check their security now.
CISA says cyber threat actors use “sophisticated targeting and social engineering” to gain “unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”
Sophisticated spyware attacks are usually limited to high-value targets. They may come at you by way of malicious links, QR codes, app installs, mobile malware or even fake apps mimicking the ones we all know and use. 99% of your defense comes from not clicking links, not installing apps outside official stores and not opening attachments.
But your WhatsApp account is much more likely to be hijacked by social engineering. An attacker tricking you into sharing a one-time code that will enable them to transfer your account to their own device, leaving you with the challenge of getting it back.
Law enforcement and security firms continuously alert users about such attacks. And WhatsApp warns “you should never share your registration code with others, not even friends or family. WhatsApp can’t deactivate your account for you because there’s no way to verify that you’re the owner of the phone number associated with that account.”
Three things to do now. Open WhatsApp and go to Settings > Account. First make sure you have two-step verification enabled. This is a PIN you set and need to remember. Second, add and verify your email address to help in the case of account recovery. And third, add a passkey to your account. Do all three and your account is fully secure.
ESET offers some good advice on how to tell if your account has been compromised and what steps you can take to get it back. “Immediate actions and long-term fixes,” it says, will help you “regain access to WhatsApp – and keep it.”
But there may be an even better way. I have long pointed out that WhatsApp and other messengers are vulnerable because they don’t link account verification to the actual SIM in a phone. They rely instead on texting a PIN code to the number. That’s why stealing that code can move WhatsApp to a phone with a different number.
The solution is to link the WhatsApp account to the actual phone and number running WhatsApp. That’s how texting works. Over-the-top messaging should be the same. It would kill account hijacks without the need to actually steal or dupe the SIM itself.
India may be taking the lead on this. It is now legally mandating “SIM binding,” where messaging accounts repeatedly link to physical SIMs in a phone. If you run the messenger on another “linked” device, then you’re even forced to re-verify on the phone daily. Painful though this may be, it will firmly link WhatsApp to a phone’s number.
Meanwhile, make sure you have checked and updated those account settings. It takes seconds and will save you a world of pain and time. Do that now.