A fake version of WhatsApp for iPhone appears to have been made by Italian surveillance company Cy4Gate to target specific individuals, according to a report. It could have allowed hackers to gather information about targeted users by tricking them to install certain configuration files on their iPhone. The information that the hackers could obtain include — but not limited to — the Unique Device Identifier (UDID) as well as the International Mobile Equipment Identity (IMEI). In 2019, WhatsApp was exploited by a spyware developed by Israel’s NSO Group that enabled entities to target journalists and human right activists in global regions including India.
Cybersecurity research lab at the University of Toronto, Citizen Lab, worked with Motherboard to find the fake version of WhatsApp for iPhone that has apparently been developed by Cy4Gate. The references of the counterfeit WhatsApp version emerged after security company ZecOps tweeted about the detection of attacks against users on the instant messaging app.
A site was found with domain config5-dati[.]com that was tricking visitors to install the fake app that was actually a special configuration file for the iPhone, Motherboard reported. It appeared to have been designed to gather information about the victims and send it back to the hackers.
Upon seeing the URL of the tricking site, Motherboard found multiple clusters of domains associated with the publicly shared link. Some variations of the original URL were also discovered. One of them was config1-dati[.]com that appeared to be a phishing page tricking individuals to install the fake version of WhatsApp. It looked legitimate, with WhatsApp branding and professional graphics, and provided instructions to the users on how to install a configuration file on the iPhone to get the fake version installed.
Citizen Lab researcher Bill Marczak noted that the configuration file provided by the phishing page was allowing the attacker to send device details including the UDID and IMEI to a server. The researchers, however, didn’t find what other data the file could have provided from the user device.
There was no clear reference of whether the fake version of WhatsApp was linked with Cy4Gate that works with law agencies and the government in Italy. However, a set of domains was found that at one point shared an IP address with the config5-dati[.]com domain. That set brought notice to another set of domains that followed similar conventions, and one of them was registered to “cy4gate srl.” This suggested the linkage with the Italian surveillance company.
A WhatsApp spokesperson assured action against the fake version. “We strongly oppose abuse from spyware companies, regardless of their clientele. Modifying WhatsApp to harm others violates our terms of service. We have and will continue to take action against such abuse, including in court,” the spokesperson said, as quoted by Motherboard.
“To help keep chats safe, we recommend that people download WhatsApp from the app store for their phone’s platform. In addition, we may temporarily ban people using modified WhatsApp clients we detect to help encourage people to download WhatsApp from an authoritative source,” the spokesperson added.
Facebook and WhatsApp — alongside other human rights groups — are currently fighting a legal battle with Israeli spyware maker NSO Group for allegedly reverse-engineering WhatsApp to spy on around 1,400 selected people worldwide. However, the latest finding suggests that NSO Group’s Pegasus spyware wasn’t the only option for entities to gain WhatsApp user details. Cy4Gate may have a similar system in place to acquire data by tricking some specific targeted individuals through the fake version of the app.