Preliminary information
Before we get to the heart of the tutorial, let's illustrate what are the main techniques used by attackers to spy on someone else's WhatsApp and how to protect yourself, it seems right to provide you with preliminary information about it.
To begin with, it should be noted that, at the end of 2014, WhatsApp, thanks to a collaboration between the team of the famous messaging service and the developers of Whisper Open Systems, began to adopt an end-to-end encryption system called TextSecure, which should greatly complicate the life of the "spies".
This system is based on the use of a pair of keys: one public and one private. The public key is shared with your interlocutor and is used to encrypt outgoing messages, while the private key resides on each user's smartphone and is used to decrypt incoming messages.
Thanks to this technology (of which the user is not aware because everything happens in real time and "behind the scenes"), messages travel from the smartphone to WhatsApp servers in an encrypted form, i.e. unreadable, and can only be decrypted by legitimate senders. and recipients. For more information, you can refer to my tutorial on how to encrypt WhatsApp.
The only doubt concerns the implementation of end-to-end encryption: WhatsApp is a closed source application, we cannot thoroughly verify its source code, and therefore we cannot know if any flaws leave room for bad guys.
However, it is worth noting that some tests, such as the one conducted by Heise in 2015, showed that end-to-end encryption was originally used only in the Android version of WhatsApp. In all other cases, on the other hand, an encryption system based on the RC4 algorithm, which works only on the output and is considered to be no longer secure for some time, continued to be used. However, to date, the situation is completely different and end-to-end encryption is exploited on all platforms for which the messaging service is available.
Also know that before the introduction of TextSecure, one of the most sophisticated systems to spy on another phone's WhatsApp remotely was "Sniffing" of wireless networks, a technique that consists, in fact, to capture all the data passing through a Wi-Fi network using special software, as I explained to you in detail in my guide on the subject.
How to spy on someone else's WhatsApp
Although the famous messaging app can be considered a secure enough solution, there are still some techniques that bad guys can consider using to spy on someone else's WhatsApp. Let's find out right away which ones. Find out everything below.
Social engineering techniques
Similar to what happens in real life, dangers in the Internet world often come from where we least expect them. And so, while we imagine an army of super bad hackers ready to violate our privacy by launching attacks on WhatsApp servers, in reality, spying on our online conversations could be friendly colleagues we happen to meet at the bar, or even our acquaintances.
On the other hand, it does not take a computer expert to understand: it is much easier for someone, with a very banal excuse, to physically come into possession of our smartphone than WhatsApp servers being hacked or hackers, hidden who knows. where, yes intercept our communications.
As for privacy on WhatsApp, currently the greatest danger is represented by social engineering (Social engineering). what is it? I'll explain in a moment. Social engineering is the set of techniques by which bad guys can achieve their goals by manipulating the psychology of the victim.
That is, it is when an attacker manages to get hold of his target (in this case the smartphone) by deceiving the victim with more or less trivial excuses (e.g. "I ran out of credit and I have to make an urgent call , could you lend me the phone for a moment? ").
Identity theft via WhatsApp Web / Desktop
WhatsApp is also available as a Web App and client for Windows and macOS, through which it is possible to send and receive messages on the PC using the smartphone as a "bridge". They work on all major operating systems and no special configuration is required. To use it, simply open WhatsApp on your cell phone and frame the QR code displayed on the computer screen with the camera, as I explained in more detail in my tutorial on how to use WhatsApp on a PC.
But what is really worth noting is that WhatsApp Web / Desktop stores the user's identity, this means that you can access the service without rescanning the QR code, and it works even when the smartphone is not connected to the same network. of the PC, provided it is connected to any Wi-Fi network or to the 3G / LTE data network of the cell phone.
This means that if an attacker manages to take over the victim's smartphone, logs in WhatsApp Web / Desktop with the latter and leaves the active link so as not to have to repeat the scanning of the QR code, it becomes possible. spy on another phone's WhatsApp remotely and without the unfortunate on call realizing it.
It should be noted that WhatsApp Web is very "convenient" for malicious people as it works not only from a PC, but also from tablets and smartphones, simply install applications that simulate access to the service from the desktop or enable desktop view in the browser.
However, it should be noted that, to date, when the connection is established with an unknown device via the Web / Desktop version of WhatsApp, a specific notification is sent to the smartphone, indicates the thing. As a result, it is possible to immediately understand if any abnormal activity is taking place.
In addition, it should be noted that if biometric recognition protections are configured on your device, it is virtually impossible for WhatsApp to be spied through WhatsApp Web / Destkop. In this particular case, in fact, to confirm access to the service requires the consent of the owner of the device, who must authorize the operation, verifying his identity through his face or by fingerprint.
Spyware, anti-theft and parental control applications
If you leave your smartphone unattended for more than a few minutes, the attacker on duty could take the opportunity to install spy-apps on the terminal and secretly exploit them to spy on someone else's WhatsApp without having their cell phone.
It should be noted that these solutions are extended to allow the user's smartphone to be monitored legally, but considering how they work, they are particularly appreciated even by malicious people. There are several applications that allow you to get it, usually installed via APK package on Android and via Cydia on iOS, as is the case of iKeyMonitor, one of the most popular spy apps that you can also try for free for a few days.
In addition, it must be said that anti-theft applications (those that allow you to locate lost cell phones) and parental control services have functions that could be used to capture screenshots and monitor most of the activities on the smartphone, such as Qustodio, available for both Android and iOS, and
OF SCREENING.
Also consider that when an attacker cannot physically put his hand on the victim's smartphone, he can send the victim some link to download and install the tool to spy on someone else's WhatsApp, but pretending to be other content.
Apps to monitor access
Although at the moment it is no longer available and no longer functional, I think it is fair to inform you that until not so long ago were available Apps that allowed to monitor access to the service. and that, therefore, could prove particularly to spy on another mobile's WhatsApp. I preferred to inform you about it because, although somewhat unlikely, a possible failure in WhatsApp could give a new life to this type of solutions.
The operation of these applications was very simple: you had to start the application and type in the WhatsApp user number to be kept under control. that's it! By doing so, it was possible to see the WhatsApp access times of the user of interest and receive notifications related to their activities.
In most cases, the apps in question could be downloaded and tested for free, but in order to take advantage of the data export feature and be able to use them without limits, a special subscription was required.
MAC address cloning
Another technique that bad guys can use to spy on someone else's WhatsApp is to clone the MAC address of the victim's phone. Fortunately, however, it's a rather time-consuming procedure and not really within everyone's reach: it takes a minimum of technical preparation to succeed.
If you have never heard of it, the MAC address is a 12-digit code that uniquely identifies PC network cards and, more generally, devices capable of connecting to the Internet.
Using applications suitable for the purpose, "spies" can disguise the MAC address of your smartphone, so that it matches that of the victim's phone, and install a "cloned" copy of WhatsApp that will then report all messages. from the original account.
The operation is feasible only after you have unlocked your device via root or jailbreak and installed apps like BusyBox and Ghost Mac Address on Android and SpoofMAC on iOS, as I explained in more detail in my guide on how to clone WhatsApp.
But this is just the beginning. In fact, to score the "hit" you have to steal the phone from the victim, find out his MAC address (through the Info screen settings), change the MAC address of your phone, install WhatsApp and activate the app using the number of the person to be spied on (to which, therefore, arrives the confirmation code).
How not to be spied on WhatsApp
In light of what has been said in the previous lines, it is very important to manage your smartphone conscientiously. This means not to lend the device to the first step and do not leave it unattended in public places. However, it is even more important to avoid violating your privacy with some tricks, such as those listed below.
- Enable screen lock on WhatsApp - Probably not everyone knows this, but WhatsApp includes a feature that allows you to block access to the app via face or fingerprint and is very useful to prevent others from accessing your chats. To enable it, go to Settings> Account> Privacy> Privacy> WhatsApp Screen Lock, toggle ON the switch to activate the screen lock and you're done.
- Set a secure PIN - a secure PIN can eliminate most of the bad guys, in fact, without access to the main menu of the smartphone, it is not possible to use WhatsApp for computers or install spy apps. Here are the instructions to change the PIN on your smartphone.
- If you have an Android phone, you must go to Settings> Security> Device screen lock and select the PIN item (or eg., if you want to use a gesture instead of the code).
- If you use an iPhone, go to Settings> Face ID / Touch ID and device passcode and select the Change Passcode item.
- Disable SMS display on the lock screen - By cloning the MAC address of your smartphone, an attacker could activate WhatsApp on your phone using your number. However, to activate the application he must find out the verification code delivered by SMS to your cell phone. By disabling the SMS display on the lock screen, you can prevent malicious people from seeing the WhatsApp activation code without first unlocking your smartphone (virtually impossible if you have set a secure PIN).
- To disable the display of SMS on the Android lock screen, go to Settings> Security> Screen Lock> Device PIN, set a PIN and choose to hide sensitive content.
- To disable SMS display on iPhone lock screen, go to Settings> Notifications> Device Messages and uncheck the Show item in "Lock screen.
- View your WhatsApp web sessions - by going to the Settings> WhatsApp Web / WhatsApp Desktop section you can view all active WhatsApp web sessions. If you find any "suspicious" among these, click the Logout button on all devices and any malicious person spying on you via PC will lose automatic access to the service (you will be prompted to reframe the QR code).
- Search for spy apps - Do you suspect that someone has installed spy apps on your smartphone? Access the list of apps on the device and find out if there is anything suspicious. Note that in the most desperate cases, when you think there is a spy app on your smartphone but you can't locate it, the only viable solution is to format the phone. I know, it is a drastic measure, but it is also the only effective one. If you want to know more, read my tutorials on how to format Android and how to reset iPhone.
- To see the list of apps installed on Android, go to Settings> Apps> All device and remove all suspicious apps. Then go to Settings> Security> Device Administrators and take a look at the list of apps that can control the system. If among these there are any that you have not authorized yourself, uncheck their name and uninstall them.
- To see the list of applications installed on the iPhone, go to Settings> General> iPhone Space section of the device and remove the applications that you think may be spying by pressing their name and voice Remove application.
- Reactivate your account in case of deactivation - if someone activated WhatsApp on another mobile using your phone number, the service will stop working on your device. If you suddenly find yourself with WhatsApp deactivated without having done anything, immediately report the incident to the support of the famous messaging app by writing to the email address. [email protected], so you can regain control of your account again and prevent your data from further access by unauthorized third parties.
Warning: this guide is written for illustrative purposes only. Spying on other people's WhatsApp conversations is a crime punishable by law, so I am not responsible for how you will use the information contained in the article.