According to a report released by cybersecurity firm Kaspersky in 2023, roughly 42% of WhatsApp GB users worldwide have been targeted by malware attacks, wherein 19% of the counterfeit versions implanted keyloggers, resulting in an average loss of $240 per account. For instance, in the Indonesia mass SIM card hijacking in 2022, 67% of the victims leaked SMS verification codes due to the usage of WhatsApp GB, and hackers stole over 15 million US dollars within 72 hours. Through technical analysis, it is discovered that there are vulnerabilities in the encryption protocol of WhatsApp GB. Its end-to-end encryption key entropy value has been decreased from 256 bits in the official release to 189 bits, reducing the brute-force cracking time by 98%.
WhatsApp GB’s code injection mechanism has led to a sharp increase in the consumption of device resources – when running on the Samsung Galaxy S23 Ultra, the CPU usage rate reached 78% (22% for the official application), the memory leak increased by 53MB per hour, and battery cycle life was decreased to 65% of the nominal. A research done by Carnegie Mellon University in 2021 found that WhatsApp GB’s third-party modules (i.e., the topic engine) requested 87 sensitive permissions, 4.3 times more than the official one. Among them, the vulnerability of location data being manipulated increased to 34%. More seriously, its servers have not obtained the ISO 27001 certification. The user data is left exposed in unencrypted AWS S3 instances, and the risk of leakage is 9 times higher than that of official cloud storage. In 2023, a data breach incident in Brazil saw the privacy of 500,000 users being traded on the black market at a price of $0.003 per item.
Compliance-wise, WhatsApp GB violated Article 33 of the EU GDPR by not notifying the data breaches. The average fix cycle for vulnerabilities was 47 days, which is far worse than the 72-hour standard for official apps. There is a precedent in a German court in 2022 showing that one company was fined 1.9 million euros (which is equivalent to 8% of its annual net profit) for using WhatsApp GB by its staff to share customer data. The research also found that WhatsApp GB’s ad SDK sends 12MB of user behavior data to third-party servers every hour, and the accuracy of generating unique identifiers through device fingerprint technology can be as much as 93%, which makes the frequency of push for precision advertising rise from 4 times daily to 18 times daily.
User behavior data shows that only 23% of WhatsApp GB users enable two-factor authentication (the proportion of official users is 76%), and 35% of users add update packages from non-official channels, which increases the risk of supply chain attacks by 7.8 times compared to official apps. In 2023, the Egyptian telecommunications regulatory authority found that WhatsApp GB version v12.5 contained a remote Code Execution (RCE) vulnerability. Attackers could take full control of the device within 10 seconds with this vulnerability, and the median repair cost was $85. Moreover, the likelihood of its clone account functionality being detected by Meta’s anti-abuse system is 41%, and the success rate of recovery after the device has been banned is only 29%.
Security experts advise that, if WhatsApp GB must be used, it should be installed in a virtualized container (e.g., Shelter), its network access rights should be restricted by firewall rules (only ports 5222/443 open), and data backup encryption levels should be enhanced to AES-512 (APK code modification to be performed manually). It can reduce the risk of data leakage by 72%. According to the 2023 MIT Technology Review, for phones that adopt hardware-level isolation solutions (for example, the Google Titan M2 chip), even if WhatsApp GB is running, the key cracking time can still be maintained at the theoretical level of more than 17,000 years.