March 10, 2015 By Douglas Bonderud 2 min read

Messaging service WhatsApp already boasts more than 700 million active users, according to USA TODAY, but the company isn’t stopping there. Over the past few months, some Android users reported receiving invitations for a limited-time trial for a WhatsApp calling feature. There’s been no official announcement from the company, but that hasn’t stopped malicious actors from cashing in. WhatsApp users are now being targeted by an SMS scam designed to load their phones with malware.

Reaching Out

According to a March 8 article from Tech2, WhatsApp users worldwide are at risk. It all starts with an SMS message inviting them to test the app’s new calling feature. The included link takes users to a survey page, where they’re asked to fill out a few questions before getting started. Instead, they’re prompted to download new software. Once installed, malicious code activates, infecting the device and sending out the same invite message to 10 contacts found on the user’s phone.

This isn’t the first time the popular messaging app has been targeted by malware authors. In January, users in South Africa reported SMS texts warning them that their WhatsApp version wasn’t up-to-date. Upon following the embedded link, a Web browser tab was opened to display a large green “continue” button. Unfortunately, it also contained fine print at the bottom of the page indicating the user accepted an additional monthly charge on his or her bill, in some cases totaling $16 per month.

In a nearly identical attack, the Gazon malware has been busily targeting Android devices with fake SMS messages promoting free Amazon gift cards. Instead, users are prompted to take a survey. Each page of the survey earns the creator money through advertising clicks and sends SMS messages to contacts that direct them to the same scam websites.

Getting the Message

Android-based malware is on the rise, and WhatsApp is just the latest target. In fact, according to Kaspersky Lab, the number of Android-based financial threats tripled in 2014. Apple users aren’t off the hook, either: While Android is the more popular SMS scam platform, security experts warn that 2015 could be a banner year for iOS malware as criminals double down on iPhone and iPad attacks.

For mobile users, this means that if it seems too good to be true, it absolutely is. An invite to the as-yet-unannounced WhatsApp calling beta? Scam. Free Amazon gift card? Scam. Dire warnings about necessary updates or a limited-time offer? Scam. Avoiding these issues requires a very specific response: Don’t engage, don’t text back, don’t click the link and don’t download any new content. Gone are the days of secure mobile devices; now is the dawn of the smartphone-savvy cybercriminal.

Users must get the message or pay the price. The WhatsApp calling feature invite is a scam, and what’s up is mobile SMS malware.

Image Source: Flickr

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today