September 9, 2015 By Douglas Bonderud 2 min read

According to the Venture Capital Post, Facebook messaging tool WhatsApp now boasts over 900 million users and projects to hit 1 billion in the near future. While it’s not a huge money-maker for Facebook just yet — it’s charging just $1 per year in North America and Europe, and the app is available for free in developing countries — the service is nonetheless a popular target for cybercriminals.

As noted by SC Magazine, the newest attack vector leverages virtual business cards, or vCards. When opened on the Web version of the app, users could be exposed to a host of malware risks.

Above Board?

Kasif Dekel, a researcher for Check Point Security, which first found the new vulnerability, said all it takes for an attacker to compromise a victim’s computer is the right mobile phone number and a single vCard. Once opened in the WhatsApp Web service, hidden executable files in the vCard are activated, allowing attackers to install anything from ransomware to remote access tools (RATs), bots or Trojans.

Compounding the problem is the prevalence of vCards and the fact that many seem above board on the surface. What’s more, obtaining a user’s phone number often takes little more than a quick Internet search — and once a new vCard arrives, most users are willing to take a look since they often believe their number isn’t available for public viewing.

The app itself doesn’t help matters because it automatically syncs users’ mobile devices and desktop computers to provide a unified experience — meaning that even if users typically avoid their desktop, they’ll get a vCard notification and may be tempted to log on and check out the message, in turn exposing their system to malware. And with approximately 200 million WhatsApp users leveraging the Web portal on a regular basis, this malware threat comes with a significant attack surface.

The Issue With Doing Everything

Facebook’s purchase of WhatsApp certainly seems to be paying off. Users love the service, and the company has a built-in revenue model if and when they choose to use it. But the service suffers from the same problem as many others of similar nature: trying to do everything, all at once, for interested users.

While synchronization across devices and the ability to view images, videos, audio files, locations and contact cards is attractive for users, this kind of smorgasbord represents massive opportunity for cybercriminals. If users can be convinced to download one malicious file or open one seemingly legitimate business card, it’s possible to infect entire systems without victims even knowing they’ve been compromised.

Fortunately, WhatsApp has been quick to respond. While all versions before 0.1.4481 are still vulnerable, the company issued a temporary mitigation against this vCard vulnerability for Web clients and already has a more permanent fix in the works. Of course, the onus for updating remains with the user — the sooner the better to ensure protection against this kind of exploit.

Messaging apps are prime targets for attackers since they offer big user basis and a low bar to entry. Stopping cybercriminal trash talk demands a combination of app developer speed and user commitment to securing their own devices.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today