A pretend model of WhatsApp for iPhone, developed by an Italian surveillance company Cy4Gate is reportedly tricking specific individuals to install certain configuration files on their phone.
The report states that the fake version could have allowed hackers to gather data including the Unique Device Identifier (UDID) as well as the International Mobile Equipment Identity (IMEI). In 2019, WhatsApp was exploited by spyware created by Israel’s NSO Group that allowed the entities to target journalists and human rights activists across the globe.
The cybersecurity research lab Citizen Lab, at the University of Toronto, worked with online magazine Motherboard to find the fake version of Whatsapp that has been developed by Cy4Gate. The discussion regarding the forged Whatsapp version ignited after security company ZecOps tweeted regarding the detection of attacks against users on the instant messaging app.
The research group found a site with domain config5-dati[.]com that was ploying visitors to install the fake app which actually was a special configuration file for the iPhone. The fake version appeared to have been designed to obtain information about the victims and send it back to the hackers, the report added.
The URL of the tricking site had multiple clusters of domains related to the publicly shared link. Some variations of the original URL were discovered by Motherboard. One of them was config1-dati[.]com that was a phishing page tricking people to install the fake version of WhatsApp.
The link and the home page seemed authentic with WhatsApp branding and professional graphics, and it also had instructions for the users on how to install a configuration file on the iPhone, the report mentioned.
Citizen Lab researcher Bill Marczak pointed out that the configuration file provided by the phishing page was allowing the attacker to send device details like the UDID and IMEI to a server. The researchers, however, couldn’t find if any other data is being obtained from the user device.
There was no clear reference if the fake version of WhatsApp was linked with Cy4Gate that works with law agencies and the government in Italy. However, a set of domains was found that shared an IP address with the config5-dati[.]com domain. That set brought notice to another set of domains that followed similar conventions, and one of them was registered to “cy4gate srl” and it suggested the linkage with the Italian surveillance company.
“Modifying WhatsApp to harm others violates our terms of service. To help keep chats safe, we recommend that people download WhatsApp from the app store for their phone’s platform. Also, we may temporarily ban people using modified WhatsApp clients we detect to help encourage people to download WhatsApp from an authoritative source,” a WhatsApp spokesperson said.