WhatsApp has been in a race to keep up with Telegram by matching old features and putting out new ones. Among the features currently under development on the widely-used messaging app is the ability to block users from taking screenshots of self-destructing images and videos. But parent company Meta may have some bigger privacy concerns on its plate, based on a lawsuit it has filed against a handful of firms that have developed unofficial WhatsApp clients on Android that were reportedly harvesting sensitive user data.
Around a million WhatsApp users may have compromised their accounts using these unofficial apps since May, BleepingComputer reports. The lawsuit filed with the U.S. District Court for the Northern District of California names Hong Kong-based Rockey Tech HK Ltd., Beijing Luokai Technology Co. Ltd. from China, and ChitChat Technology Ltd., headquartered in Taiwan.
Meta alleges that these companies collectively market their apps under names like "HeyMods," "Highlight Mobi," and "HeyWhatsApp," with the purpose of luring in WhatsApp users with claims of advanced platform features, then hijacking their accounts to siphon their data and spam contacts with messages. Some of the other malicious apps identified by Meta include "AppUpdater for WhatsPlus 2021 GB Yo FM HeyMods" and "Theme Store for Zap."
The complaint claims some of these apps were available for download on the Google Play Store while others were found on third-party APK sites such as APKSFree, Malavida, iDescargar, and APK Pure. These apps deliver bundled malware post-installation to fetch user account info.
The aforementioned AppUpdater for WhatsPlus 2021 GB Yo FM HeyMods app was reportedly downloaded more than a million times via the Play Store. However, the listing appears to have been taken down as of press time.
"The Defendants programmed the Malicious Applications to communicate the user's credentials to WhatsApp's computers and obtain the users' account keys and authentication information," an excerpt from Meta's complaint reads.
The paper further points out that the developers' actions are a violation of the Meta developer agreement and the WhatsApp terms of use. Additionally, the company argues that it has sustained damages as a result of the existence of these malicious apps as well as having to track them down.
Meta warned users about some of these apps back in July, as BleepingComputer notes. The head of WhatsApp, Will Cathcart, posted a detailed thread on the perils of fake WhatsApp apps, citing the example of a developer named HeyMods who was responsible for publishing apps such as "Hey WhatsApp" and others. Cathcart noted that the company also passed along its findings to Google, which was able to take down the app listing.
This revelation in July also persuaded Google to roll out an update to Play Protect, enabling the system to identify malware-riddled apps that are already installed on the device. It's not new for malicious apps to have slipped through the cracks and made their way to the Play Store. But Google, for the most part, has been actively identifying and removing several of these apps.
As for Meta's efforts, we'll have to watch how the court proceeds and wonder if the defendants in question will even bother to respond.