The coming year is likely to see a growing spam ecosystem develop on WhatsApp, which could thrive thanks to the platform’s decision to roll out end-to-end encryption, according to security researchers.
There are no specific figures detailing spam levels, but with 700 million active users and 30 billion messages sent each day on the platform, there are signs that spammers are extending their SMS and iMessage campaigns to the Facebook-owned OTT service.
One such campaign targeting European WhatsApp users aims to promote fake handbags and luxury goods, according to AdaptiveMobile head of data intelligence, Cathal McDaid.
“This spam, which has been reported from Chinese mobile numbers, is very similar to the same type of spam which has been implicated in a Chinese originated iMessage spam attack in 2014 that affected primarily the US, but also other countries,” he wrote in a blog post.
“Due to the massive decline in the amount of SMS spam in America, this attack gained prominence as it occupied a large percentage of the remaining spam being reported at the time. The presence of the same kind of attacks clearly indicates that these types of spammers have decided to switch, or at least diversify onto WhatsApp.”
In India, a government crackdown on SMS spam which led to a 97% drop in unsolicited messages has apparently opened up a new front on WhatsApp – which is slightly more expensive and complicated to set up a spam campaign for.
However, it’s not covered by the government’s new regulations and offers additional benefits such as the ability to send longer messages, McDaid claimed.
Other benefits of WhatsApp include the fact that the cost of sending a message internationally is effectively irrelevant, leading to a greater volume of cross-border spam campaigns.
VoIP virtual numbers have also become a popular way to circumvent shutdowns of regular phone numbers – a tactic used in the past by SMS spammers.
“This reuse of the same methods from other messaging spam types – of using VoIP numbers – along with the same scams, means that the WhatsApp spammers are not ‘native’ spammers, but incoming groups who have operated on other types of messaging, and who come to WhatsApp with extensive experience,” said McDaid.
WhatsApp’s decision to roll out end-to-end encryption could hamper efforts to detect spam content and block messages on the platform.
“Long term, promising methods like homomorphic encryption – an encryption approach that allows operations on encrypted values without having to decrypt the value first – may offer WhatsApp the ability to filter the encrypted content at their servers,” McDaid said.
“While great strides have been made recently in this, it’s still likely to take many years before it’s ready for widespread use.”