WhatsApp Improves Defense Against Malware-Based Account Takeover

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Apr 14, 2023 02:46 am PST

Many new security features for WhatsApp have been unveiled today, one of which is called “Device Verification” and is intended to offer improved defense against account takeover (ATO) assaults. Device Verification stops malware from impersonating accounts and using stolen authentication keys to send phishing and scam messages to contacts on the targeted users’ contact lists via unapproved clients or stolen authentication keys from infected mobile devices.

Three new parameters—a security token saved on the device, a nonce used to determine whether the client is establishing a connection to WhatsApp’s servers to retrieve a message, and an authentication challenge that will asynchronously ping the user’s device—will be used to perform invisible back-end checks that will automatically stop attackers from hijacking users’ accounts.


According to WhatsApp, mobile malware is one of the biggest threats to people’s security and privacy today since it can exploit your phone without your consent to send unsolicited messages over WhatsApp. “We have implemented checks to assist in authenticating your account – without requiring any action from you – and better safeguard you if your device is compromised to help prevent this. This enables uninterrupted use of WhatsApp.”

All WhatsApp for Android users have already received this capability, and it is currently rolling out to iOS users worldwide. WhatsApp has unveiled two more security features that will alert users when their accounts are transferred to new devices and automatically validate security codes to ensure secure server connections.

While WhatsApp accounts are being linked to new devices, “Account Protect” will operate as an additional security check or double check, and it will notify you if any unwanted account transfer attempts are made.

A new cryptographic security feature called “Automatic Security Codes” enables WhatsApp clients to automatically evaluate user encryption keys and determine whether end-to-end encryption is enabled using key transparency and the Auditable Key Directory (AKD).

According to WhatsApp, its most security-conscious users have always been able to use its security code verification tool, which helps confirm that you are communicating with the proper receiver.

It implies that you can immediately confirm that your private discussion is encrypted when you click on the encryption tab. End-to-end encryption was first made available by WhatsApp in April 2016—seven years ago—and end-to-end encrypted conversation backups were made available on iOS and Android in October 2021 to prevent access to chat data, regardless of where they are kept.

Adding standard disappearing messages to all new chats increased the platform’s privacy management tools two months later, in December 2021. According to Meta, the parent company of WhatsApp, more than two billion users from more than 180 nations already use the instant messaging and video chat service.


A new account verification feature was announced by the popular instant messaging service WhatsApp on Thursday. This feature will stop viruses from compromising users’ accounts while running on their mobile device. In a statement, the company that owns Meta said that “mobile device malware is one of the major dangers to people’s privacy and security today because it may take advantage of your phone without your awareness and use your WhatsApp to send unsolicited messages.” Device Verification is a security measure designed to prevent account takeover (ATO) attacks by severing the link with the threat actor while allowing the app’s intended users to continue using it without interruption.

Or, to put it another way, the goal is to stop attackers from deploying malware to hijack victim accounts and steal WhatsApp authentication keys to disseminate spam and phishing links to other contacts while appearing as the victim. To do this, we provide a security token that is locally kept on the device, an authentication challenge that acts as an “invisible ping” from the server to a user’s device, and a cryptographic nonce to check whether a WhatsApp client is contacting the server to get incoming messages. The client must provide the security token each time it connects to the server to detect potentially suspicious connections. The security token is updated every time an offline message is fetched from the server.

The authentication challenge is regarded to have failed if a client answers to it from a different device, indicating an unusual connection made by an attacker. As a result, the link is subsequently blocked. The process is repeated “a few more times” if the client doesn’t respond. The connection will be severed if the client doesn’t respond after that. These three characteristics help prevent malware from gaining the authentication key and connecting to the WhatsApp server from outside the users’ device, according to Attaullah Baig and Archis Apte of Meta.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x