September 9, 2015 By Douglas Bonderud 2 min read

According to the Venture Capital Post, Facebook messaging tool WhatsApp now boasts over 900 million users and projects to hit 1 billion in the near future. While it’s not a huge money-maker for Facebook just yet — it’s charging just $1 per year in North America and Europe, and the app is available for free in developing countries — the service is nonetheless a popular target for cybercriminals.

As noted by SC Magazine, the newest attack vector leverages virtual business cards, or vCards. When opened on the Web version of the app, users could be exposed to a host of malware risks.

Above Board?

Kasif Dekel, a researcher for Check Point Security, which first found the new vulnerability, said all it takes for an attacker to compromise a victim’s computer is the right mobile phone number and a single vCard. Once opened in the WhatsApp Web service, hidden executable files in the vCard are activated, allowing attackers to install anything from ransomware to remote access tools (RATs), bots or Trojans.

Compounding the problem is the prevalence of vCards and the fact that many seem above board on the surface. What’s more, obtaining a user’s phone number often takes little more than a quick Internet search — and once a new vCard arrives, most users are willing to take a look since they often believe their number isn’t available for public viewing.

The app itself doesn’t help matters because it automatically syncs users’ mobile devices and desktop computers to provide a unified experience — meaning that even if users typically avoid their desktop, they’ll get a vCard notification and may be tempted to log on and check out the message, in turn exposing their system to malware. And with approximately 200 million WhatsApp users leveraging the Web portal on a regular basis, this malware threat comes with a significant attack surface.

The Issue With Doing Everything

Facebook’s purchase of WhatsApp certainly seems to be paying off. Users love the service, and the company has a built-in revenue model if and when they choose to use it. But the service suffers from the same problem as many others of similar nature: trying to do everything, all at once, for interested users.

While synchronization across devices and the ability to view images, videos, audio files, locations and contact cards is attractive for users, this kind of smorgasbord represents massive opportunity for cybercriminals. If users can be convinced to download one malicious file or open one seemingly legitimate business card, it’s possible to infect entire systems without victims even knowing they’ve been compromised.

Fortunately, WhatsApp has been quick to respond. While all versions before 0.1.4481 are still vulnerable, the company issued a temporary mitigation against this vCard vulnerability for Web clients and already has a more permanent fix in the works. Of course, the onus for updating remains with the user — the sooner the better to ensure protection against this kind of exploit.

Messaging apps are prime targets for attackers since they offer big user basis and a low bar to entry. Stopping cybercriminal trash talk demands a combination of app developer speed and user commitment to securing their own devices.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today