Categories: Technology

Facebook’s reluctance to feedback is putting millions of WhatsApp users at risk of malware

Workarounds aimed at hiding ‘online’ activity on WhatsApp can seriously compromise user security and privacy.

But, Facebook doesn’t care.

The internet is filled with articles such as this one on Business Insider, aimed at teaching desperate users how can they hide their online presence on WhatsApp. Quite a lot of these articles mistakenly mix the ‘Last Seen’ status with the ‘online’ text indicator you see appear below a contact’s name (image above). The latter is an indicator that the app is running in the foreground on the user’s device. The text quickly morphes to typing… should your contact start writing to you a few endearing words.

The official WhatsApp FAQ (archived) does teach you how to tailor your ‘last seen’ status but explicitly states you can’t hide being online.

The psychology of being ‘online’

It is likely very many users have already requested to hide they are ‘online’ without much success, given all these articles that have sprung up. And it is for good reason why.

Being able to see in real time who is online, and having others see you online when you’d rather be incognito, creates a mental pressure on everyone’s part to respond to messages immediately, or risk implicitly giving off the impression that they are ignoring the sender — should they defer to respond to a message right away.

If you wanted to willingly ignore a text from someone (a Tinder date that went wrong, a colleague from the past who best be left forgotten, or a personal trainer you’re taking a break from…), this now becomes increasingly difficult. Seeing you ‘online’ multiple times but not responding, is a revelation to the sender that they are being ignored, and that creates sheer awkwardness in the air.

Blocking the sender, on the other hand, would make your intentions blatantly obvious and may seem unnecessarily harsh. You simply don’t want to respond.

Imagine a day, when WhatsApp ceases to show anyone which of their contacts are ‘online’ or are typing in real time. That is the moment it’ll truly look and feel like an asynchronous messaging app — like your basic text message (SMS) widget, and begin offering everyone the privacy they deserve.

The way it is designed now, WhatsApp is essentially a chat messenger, not a text messaging app. And the powerful psychology behind ‘online’ is what fuels this and pushes user engagement.

It’s amazing for WhatsApp, and terrible for user privacy.

The dangers of ‘workarounds’

While simplistic and unsophisticated workarounds have instructed users to play with Airplane Mode or replying inline from the notification — all to evade being seen ‘online’ for sometime, neither of these are practical enough. The second you open the app in foreground, the ‘online’ status shall return to haunt you, and for everyone to pry on.

Third-party apps

A dangerous workaround floating on the internet, involves installing bootleg apps called ‘WhatsApp GB’ or ‘WhatsApp Plus’ which let you do things the official WhatsApp won’t.i

These unofficial APKs are not available on the Android (Google Play) app store or endorsed by any reliable party. That means, you’d have to download the app from an untrusted third-party site — which could very well be malicious, override your phone’s security warnings, and trust that the ‘WhatsApp GB’ or so you’ve downloaded isn’t tampered with malware or adware. You’ll also be granting these apps extensive permissions to access your WhatsApp chats, contacts, phone data and functions, in an expectation of perhaps finally being able to hide your ‘online’ activity.

With news breaking out everyday about Android apps which end up being malware or ransomware in disguise, it is not hard to imagine such a scenario involving WhatsApp soon.

Facebook’s solution

Instead of hearing user concerns and empowering them with the ability to truly manage their privacy, Facebook would instead ban your account (archived), should they discover you using one of the unofficial apps. A totalitarian move indeed.

WhatsApp claims “your privacy is our priority.” They brag about offering end-to-end encryption, giving you control to better manage your privacy, and keeping you safe. But none of these measures go far if a third-party app can compromise all these tenets — simply because of WhatsApp’s, rather Facebook’s, reluctance to implementing user feedback.

Providing a simple feature that lets a user hide being ‘online’ is easy enough. The risks arising from failing to do so are bad for everyone, and a potential PR disaster for WhatsApp.

Moreover, reluctance to change paves avenues for new apps like Houseparty to tap into the market, and bridge the gap between user expectations and the delivered product.

© 2020. Ax Sharma (Twitter). All Rights Reserved.
Originally appeared on dev.to.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.