Hacking WhatsApp spy app

WhasSpy Public : Someone Could Monitor All Your WhatsApp Activities

We earlier wrote on WhatsBot. An instant whatsapp service that answer queries from Wiki, fashions, Football fixtures and scores and many more. Today, we are writing on what is similar to WhatsBot but a little bit heavier and awe stricken.

Read also: WhatsApp has upgraded its yearly subscription plan to lifetime for free to all users.

There has been two different projects from Maikel Zweerink and an anonymous developer channeled to WhatsApp. The former project is WhatsSpy Public and the later WhatsSpy Last seen. WhatsSpy Last seen is an Android mobile app just like a WhatsApp. It helps you to see your friend’s last seen time stamp without letting them to know you are online. Some people prefer turning off their Last seen only to themselves. But with Whatspy Last seen, you could bye pass it.

mobile phone spy
mobile phone spy

Whatsspy Whatsspy

On the other hand, WhatsSpy Public is a web-oriented application that tracks every whatsApp activities of whosoever you needed to monitor. This application is set up as a Proof of Concept that WhatsApp is broken in terms of privacy. Once you’ve set up this application, you can track any contact you wish to track on WhatsApp. Some of the activities WhatsSpy Public monitors are: bark24

Online/Offline status (even with privacy options to nobody)
Profile pictures
Privacy settings

[sc name=”spy24″][/sc]

Status messages

If someone really wants to track you on WhatsApp, our conventional AppLocks, Security Swipes, password won’t dare to inhibit. Assuming, your boss at your work place is a tough guy. He always felt less confidence on how his employees handle their social lives with his investment. Yes! it does happen. May be he decided to hire a tech guy that can deploy WhatsSpy app on his computer, he can register all his employees contact and start the tracking lol. I wouldn’t determine your fate the next day after you must have gossiped about him and all that.whatsspy-info

But there’s still hope. Yes, you could be averted. WhatsSpy Public is not an ordinary project. Before it can be set up, deep IT knowledge is required. It is not an Android app just like WhatsSpy Last Seen. The application was developed from HTML, CSS, JavaScript, Linux dependencies. The joy of our hope here is that it should not be set up in Windows computer. It works on Linux Server/VPS/Raspberry Pi/Linux Desktop that runs 24/7. Also, it requires full command line access to your machine (a simple PHP webhoster won’t work). Now, i’m guessing how many tech guys can handle these requirements.

Lets believe that some day, whatsApp will guarantee your privacy to 100%.

External Links

Download WhatsSpy Last Seen
Download WhatsSpy Public
WhatsSpy Project Wiki

About two months ago I released WhatsSpy Public to prove that WhatsApp, six months after the first discovery still did not fix the privacy problem where a random user can access any online/offline status of a WhatsApp user with only the knowledge of their phonenumber.

It got quite a lot of media attention, up to the point I needed to disable most services on my server to keep it online. View here all publications(incomplete).

Contact with WhatsApp

At the release various news websites (Wired, The Register, Sophos) contacted WhatsApp for a repsone, only Sophos got an actual response. I quote from the spokesman of WhatsApp that responded to Sophos:

So in essence he built a program that just records and monitors information he has access to anyway. I also assume this would only be for people who he has in his contact list so these are people he knows anyway.

The one response that came from WhatsApp was with a wrong assumption and looks like they tried to dig this problem into the ground. The one response acts like this all is normal, meanwhile other messaging services like Telegram and Hangouts protected against this public privacy problem where anyone can request your online/offline status. These services block any (meta-)information from leaking to a complete stranger on their service, meanwhile WhatsApp acts like this spying is just part of their service.

After this I contacted WhatsApp myself, but got never an awnser. I reported it via their Ticketing system (which is pretty annoying by the way) and directly to their spokesman, but after all these weeks still no luck.

WhatsSpy Public Usage

As of writing, the minimal installations that are currently active is a whopping >47.300 active WhatsSpy Public installations. This is based on the requests executed to check if there is a new version available grouped by IP address of the last 7 days (!). The real number of installations can be in fact much higher (multiple instances running on the same IP or instances that have been used more than 7 days ago).

A rather interesting fact is that Germany is one of the top users of the PoC with a close to 30% compared to the rest of the world. 71% of all installations run on 1.4.0 or higher and the amount of extra installations skyrockted this week, because of the fully explained guide and Raspberry Pi image which seems to be much easier to setup.

The following image shows in which countries atleast 25 instances are running:

So what now?

The WhatsSpy Public PoC can be a great tool to show your friends that WhatsApp is not really an ideal choice for a privacy friendly messenger (and now we are only speaking about information leakage to the outside).

WhatsApp might even fix this silently, which I think is somewhat childish behaviour but atleast it got fixed that way! We will need to see what the future will bring, I really hope they fix it. With the implementation of TextSecure (a method to keep your message content private for WhatsApp) on the way it could be a more privacy friendly messenger in the future, but if it fails to fix these problems there will be enough alternatives.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button