March 10, 2015 By Douglas Bonderud 2 min read

Messaging service WhatsApp already boasts more than 700 million active users, according to USA TODAY, but the company isn’t stopping there. Over the past few months, some Android users reported receiving invitations for a limited-time trial for a WhatsApp calling feature. There’s been no official announcement from the company, but that hasn’t stopped malicious actors from cashing in. WhatsApp users are now being targeted by an SMS scam designed to load their phones with malware.

Reaching Out

According to a March 8 article from Tech2, WhatsApp users worldwide are at risk. It all starts with an SMS message inviting them to test the app’s new calling feature. The included link takes users to a survey page, where they’re asked to fill out a few questions before getting started. Instead, they’re prompted to download new software. Once installed, malicious code activates, infecting the device and sending out the same invite message to 10 contacts found on the user’s phone.

This isn’t the first time the popular messaging app has been targeted by malware authors. In January, users in South Africa reported SMS texts warning them that their WhatsApp version wasn’t up-to-date. Upon following the embedded link, a Web browser tab was opened to display a large green “continue” button. Unfortunately, it also contained fine print at the bottom of the page indicating the user accepted an additional monthly charge on his or her bill, in some cases totaling $16 per month.

In a nearly identical attack, the Gazon malware has been busily targeting Android devices with fake SMS messages promoting free Amazon gift cards. Instead, users are prompted to take a survey. Each page of the survey earns the creator money through advertising clicks and sends SMS messages to contacts that direct them to the same scam websites.

Getting the Message

Android-based malware is on the rise, and WhatsApp is just the latest target. In fact, according to Kaspersky Lab, the number of Android-based financial threats tripled in 2014. Apple users aren’t off the hook, either: While Android is the more popular SMS scam platform, security experts warn that 2015 could be a banner year for iOS malware as criminals double down on iPhone and iPad attacks.

For mobile users, this means that if it seems too good to be true, it absolutely is. An invite to the as-yet-unannounced WhatsApp calling beta? Scam. Free Amazon gift card? Scam. Dire warnings about necessary updates or a limited-time offer? Scam. Avoiding these issues requires a very specific response: Don’t engage, don’t text back, don’t click the link and don’t download any new content. Gone are the days of secure mobile devices; now is the dawn of the smartphone-savvy cybercriminal.

Users must get the message or pay the price. The WhatsApp calling feature invite is a scam, and what’s up is mobile SMS malware.

Image Source: Flickr

More from

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

Security roundup: Top AI stories in 2024

3 min read - 2024 has been a banner year for artificial intelligence (AI). As enterprises ramp up adoption, however, malicious actors have been exploring new ways to compromise systems with intelligent attacks.With the AI landscape rapidly evolving, it's worth looking back before moving forward. Here are our top five AI security stories for 2024.Can you hear me now? Hackers hijack audio with AIAttackers can fake entire conversations using large language models (LLMs), voice cloning and speech-to-text software. This method is relatively easy to…

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today