WhatsApp’s Encryption Hasn’t Kept It Safe From Stalkerware

WhatsApp’s Encryption Hasn’t Kept It Safe From Stalkerware
Photo: Lionel Bonaventure, Getty Images

Among the sprawl of properties in the Facebook family, WhatsApp’s perhaps the only one that’s preached preserving user privacy and actually followed through. But that hasn’t stopped bad actors from finding new ways to spy and snoop without the platform’s — or any user’s — say-so.

As a new investigation from Business Insider details, apps promising to probe the platform — and its users — for sometimes sensitive intel have come cropping up across the Apple and Android ecosystems. And while this might not be a great look for a trio of companies that have spent the past year trying to one-up their promises to protect their users privacy, none of them appear too motivated to snuff out this new form of stalkerware.

It’s worth clarifying here that these apps aren’t magic. WhatsApp’s spent the past six years staunchly setting end-to-end encryption as the default for all messages sent over its pipes. And save for the occasional oopsie, that encryption does its job, which means that no third party is going to decipher the messages or pictures being sent back and forth over the platform unless they can actually get their hands on your physical device and pump it full of malware.

Instead, these stalkerware services seem to rely on the one public-facing bit of user information that WhatsApp actually allows to be accessed: an innocuous widget that notifies users when someone is on the app or off. It’s a ho-hum piece of data that’s typically used to know, say, whether your uncle overseas is around for a call. But data, even tiny breadcrumbs like this, never exists in a vacuum, which is why it’s a disappointing inevitability that something so simple could be used for tracking something like when your ex-girlfriend is sleeping.

The way this sort of sorta-stalkerware operates is pretty simple. A person just downloads one of these apps and plugs in the phone number of the other person they’re looking to track, and then that phone is monitored ‘round the clock for any online or offline signals. Over the next few days, weeks, or months, this builds up a pretty good picture of the target’s typical schedule — when they’re waking up, when they’re sleeping, and when they’re most likely to be hanging out in-app. Some of the apps Business Insider dug up bragged about the ability to track whether or not two contacts were likely to be talking to each other at any given time, based on how often they’re online simultaneously. Naturally, this all happens without that target’s consent.

The efficacy of these apps is questionable, given that this single bit of Whatsapp data is binary: either the app is open or not, there’s not ‘idle’ state. People who choose to leave Whatsapp open while not actively texting or calling are, in a way, foiling this script kiddie-level stalkerware by transmitting functionally incorrect data. Still, the fact that anyone would want to snoop on strangers this way and that a willing network of enablers would build the tools to let them, regardless of the validity of their findings is — to use the technical term — fucking gross.

Some of these apps sneak manage to slide by under the guise of being handy tools to monitor whether your kids are getting up to some funny business when they’re not supposed to be, while others are more upfront about exactly how slimy they are. One of the webpages for the programs that Gizmodo found pitches itself as a way for parents to get notifications about their kid’s whereabouts “even if they block you,” while elsewhere describing how the same could be done for your “friends, lover, [or] wife.” Another app found in the initial report is even more explicit about what it’s there to snoop on:

Something is up. Maybe your significant other keeps texting under the covers late at night or taking suspicious trips to the bathroom at all hours with their phone in their hand. Maybe one of your employees is acting strangely every time you catch them sending a Whatsapp message during work hours, and you want to know what it is they’re sending. Or perhaps it’s even your teenager, who has been refusing to tell you who they’ve been sending messages to in the dead of night and why they’re staying out so late after school. Either way, something isn’t right, and you know it.

WhatsApp reps told Business Insider that the platform’s terms bar this sort of tampering outright, and that the company “[requests] that app stores remove apps that abuse our brand” and violate those terms in the process. They also confirmed that disabling the “online” notification for a given user is functionally impossible — meaning that they’re offering little protection beyond this sort of verboten tampering beyond politely asking Apple and Google to knock it off.

Meanwhile, both app store companies are stuck in a game of whack-a-mole with these programs as they arise. Thus far, it looks like they’re each doing a fairly shitty job: while Google does take its policies prohibiting ads or promotions for spyware pretty seriously, those policies are lacklustre at best, with the latest update explicitly allowing this sort of tech if it was marketed to parents, rather than jealous exes. Apple’s own policies touch on malware, but not spyware, which means these apps are also free to proliferate across that ecosystem.

In other words, it seems like all of these companies have regarded this gross invasion of privacy as something that’s either entirely kosher, or just not their problem to solve. We’re reached out to Whatsapp, Apple, and Google for comment and will update if we hear back.