A Italian surveillance company has reportedly made a fake WhatsApp application for iOS, which is being used to target users and gather sensitive data.According to a report by researchers from digital rights watchdog Citizen Lab (reported via Motherboard), some iPhone users were tricked into installing a fake version of WhatsApp. This app was reportedly linked to an Italian surveillance company, Cy4gate. Reportedly, the hackers did not mean to spread the fake application around, instead, it was targeted at specific users only.
In addition to this, the report reveals that this fake version of the application can get hold of information like “the UDID, or Unique Device Identifier assigned to each iOS device by Apple; and the IMEI or International Mobile Equipment Identity, another unique code that identifies cellphones”.
As per the report, the page that was created to trick the users into downloading the fake version of the app looked a lot like the actual WhatsApp website and it laid out the step-by-step process to download the app. This page is currently unavailable.
According to a statement by a WhatsApp spokesperson given to Citizen Lab, “We do not ask for these user privileges and people should be very suspicious of any app trying to do so. We strongly oppose abuse from spyware companies, regardless of their clientele. Modifying WhatsApp to harm others violates our terms of service. We have and will continue to take action against such abuse, including in court”. The spokesperson also advised the users to always download the app from the designated app store only.
Last week, a security company ZecOps tweeted about the attack on iOS users.
Bonus: IOCs for Whatsapp related attacks on iOS (not necessarily related to the above tweet):
URL: config5-dati [DOT] com
Last known IP address: 220.127.116.11
— ZecOps (@ZecOps) January 26, 2021
Motherboard reached out to the accused party, Cy4gate, regarding the same. As per the report, the company refused the accusation saying the “config domains” that traced back to them is are not “attributable to the company.” However, the company spokesperson confirmed that “the check3[.]it domain belonged to the company”.