Mobile device malware is one of the biggest threats to people’s privacy and security today because it can take advantage of your phone without your permission. To help prevent this, WhatsApp has added checks to help authenticate user account.
“We are concerned about malware that infects a mobile phone in much the same way a virus infects a computer. Malware is used to advance account takeover (ATO) attacks that send messages without the user’s knowledge or permission. In our ongoing effort to safeguard people’s accounts and information on WhatsApp, we’re introducing a new security measure – called Device Verification – to help prevent ATO attacks. Device Verification blocks the attacker’s connection, while allowing the victim to use their WhatsApp account uninterrupted,” WhatsApp said in a blog post
cryptographic keys
WhatsApp uses several cryptographic keys to ensure that communications across the app are end-to-end encrypted. One of these is the authentication key, which allows a WhatsApp client to connect to the WhatsApp server to re-establish a trusted connection. This authentication key allows people to use WhatsApp without having to enter a password, PIN, SMS code, or other credential every time they turn on the app.
This mechanism is secure because the authentication key cannot be intercepted by any third-party including WhatsApp. If a device is infected with malware, however, the authentication key can be stolen.
The move from WhatsApp comes after reports of malware called Pegasus that was embedded inside phones of specific users to track their usage.
“Once malware is present on user devices, attackers can use the malware to capture the authentication key and use it to impersonate the victim to send spam, scams, phishing attempts, etc. to other potential victims. Device Verification will help WhatsApp identify these scenarios and protect the user’s account without interruption,” the messaging company said.
“WhatsApp has built Device Verification to benefit from how people typically read and react to messages sent to their device. When someone receives a message, their WhatsApp client wakes up and retrieves the offline message from WhatsApp server. This process cannot be impersonated by malware that steals the authentication key and attempts to send messages from outside the users` device,” it added.