WhatsApp boosts defense against account takeover via malware

WhatsApp announced today the introduction of several new security features, one of them dubbed "Device Verification" and designed to provide better protection against account takeover (ATO) attacks.

Device Verification prevents malware from using authentication keys stolen from infected mobile devices or via unofficial clients to impersonate accounts and use them to send scam and phishing messages to people in the targeted users' contact lists.

It will automatically block attackers' account-hijacking attempts via invisible back-end checks using three new parameters: a security token stored on the device, a nonce used to identify if the client is connecting to retrieve a message from WhatsApp's servers, and an authentication challenge that will asynchronously ping the user's device.

"Mobile device malware is one of the biggest threats to people's privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages," WhatsApp said.

"To help prevent this, we have added checks to help authenticate your account - with no action needed from you - and better protect you if your device is compromised. This lets you continue using WhatsApp uninterrupted."

This feature has already been rolled out to all users of WhatsApp for Android and is currently also rolling out to iOS users worldwide.

WhatsApp announced two more security features designed to notify users when their accounts are being moved to other devices and to automatically verify security codes to confirm secure connections to the server.

"Account Protect" will act as a double check or extra security check for when WhatsApp accounts are being linked to new devices and will alert you in the event of unauthorized account transfer attempts.

​"Automatic Security Codes" is a new cryptographic security feature that uses key transparency and the Auditable Key Directory (AKD) to allow WhatsApp clients to validate user encryption keys automatically and to check if end-to-end encryption is enabled.

"Our most security conscious users have always been able to take advantage of our security code verification feature, which helps ensure you are chatting with the intended recipient," WhatsApp said.

"What it means for you is that when you click on the encryption tab, you'll be able to verify right away that your personal conversation is secured."

WhatsApp introduced end-to-end encryption 7 years ago, in April 2016, and rolled out end-to-end encrypted chat backups on iOS and Android in October 2021 to block access to chat contents, regardless of where they're stored.

Two months later, in December 2021, it expanded the platform's privacy control features by adding default disappearing messages to all new chats.

Meta, WhatsApp's parent company, says the instant messaging and video calling platform is now used by over two billion people from over 180 countries.