WhatsApp Voice Calling Invites Harbor Malware

Messages purporting to be WhatsApp invitations to try out a new voice calling feature are actually nothing more than malware conduits.

WhatsApp, one of the biggest third-party instant messaging apps in the world, had 700 million active users sending 30 billion messages per day, as of January 2015, making it a popular target for scammers and hackers. To boot, it has started to roll out the hotly anticipated Free Voice Calling feature—which will add a VoIP capability to make calls, a la Skype and Viber. It’s available for Android, but it’s only invite-only for now.

Enter the cyber-scammers. Messages are going out to the WhatsApp base, inviting users to test out the new service. According to Hacker News, the invitation message appears to be from a legitimate friend, and says, "Hey, I’m inviting you to try WhatsApp Free Voice Calling feature, click here to activate now.”

The link takes users to another website, where they are asked to take a survey on behalf of the Facebook-owned service. And to take the survey, users are asked to download applications and software, which contain, of course, malware.

The fake invitation messages are circulating via social media, phishing emails, WhatsApp messages and scam websites.

This isn’t WhatsApp’s first rodeo when it comes to scams. Last year, Facebook ads offered WhatsApp users the purported chance to spy on their contacts' conversations; and within a week it had received 3,752 Facebook likes. But it was just a highly successful lure to trick users into downloading malicious apps.

WhatsApp is facing other cyber-issues as well. In January, researchers warned that end-to-end encryption on the platform could offer a safe haven to spammers, as was seen in a campaign targeting European WhatsApp users' aims to promote fake handbags and luxury goods. AdaptiveMobile head of data intelligence, Cathal McDaid, noted that “this spam, which has been reported from Chinese mobile numbers, is very similar to the same type of spam which has been implicated in a Chinese originated iMessage spam attack in 2014 that affected primarily the US, but also other countries.”

What’s Hot on Infosecurity Magazine?