HeadsUp for WhatsApp – Analysing Messaging Spam over WhatsApp

OTT messaging apps are big business. At the very start of 2015, the world’s biggest messaging app, WhatsApp, announced they were handling up to 30 billion messages a day. This is an impressive figure and a sign of the growth that messaging apps have experienced. However there are signs that their scale is beginning to attract unwanted attention. Namely criminals groups who have made it their business to spam on other messaging bearers like SMS, now seem to be moving or being pushed to do the same on OTT messaging apps. Let’s take a look at spam on the biggest messaging app ; WhatsApp.



A few weeks ago we monitored the below image-spam being received by Irish & UK WhatsApp subscribers in a wave of attacks. The spam itself was a investment advertisement from US numbers. This spam type in itself was not surprising, but what is surprising is how relatively limited WhatsApp spam has been in the past. However this seems to no longer be the case.

WhatsApp spam message "Fine Art Investment"

As well as this investment spam, which seemed to have been concentrated to a few waves, WhatsApp users in Europe are being targeted over the last few weeks with more constant spam attacks that have been directly seen on other bearers. The current most reported attack on social media[1]is the fake handbag/luxury goods spam:

WhatsApp scam message advertising cheap Ray-Ban Sunglasses

The links in these messages lead to the respective websites, which sell fake copies of the goods mentioned:

Website page selling fake Louis Vuitton handbags Website page selling fake Ray-Ban sunglasses

This spam, which has been reported from Chinese mobile numbers, is very similar to the same type of spam which has been implicated in a Chinese originated iMessage spam attack in 2014 that affected primarily the US ,but also other countries. An example iMessage spam from July 2014 is below, which you can see is clearly similar to the WhatsApp examples. Due to the massive decline in the amount of SMS Spam in America, this attack gained prominence as it occupied a large percentage of the remaining spam being reported at the time. The presence of the same kind of attacks, clearly indicates that these types of spammers have decided to switch, or at least diversify onto WhatsApp.

SMS spam message promoting Luis Vuitton Handbag for 80% off

Another sign of cross-over of spam from one bearer to another was the reporting of mobile malware being spread by WhatsApp in the last week. In this analysis it was also reported the malware -termed SocialPush by Lookout – was being spread by Twitter, however, in addition we (AdaptiveMobile) also detected this same malware being spread by SMS – meaning the malware authors or other users of it decided to distribute it over popular multiple messaging systems regardless of type. Other WhatsApp spam types, such as porn-conversation ads[2] shown below have begun being received in the Middle East, primarily from Indian mobile numbers. While not the same criminal group, and so not directly connected, the method used matches the porn bot spammer group which operated originally on Yahoo and AIM, and is now present on Kik Messenger.

Porn conversation Ad on WhatsApp featuring young female Porn conversation Ad on WhatsApp featuring young female Porn conversation Ad on WhatsApp featuring young female Porn conversation Ad on WhatsApp featuring young female

The total scale of these individual spam attacks over WhatsApp is hard to tell, but if anything, it does seem clear that WhatsApp is joining the ranks of messaging systems which now have a functioning and active spam ecosystem, and the contributors to this spam are being affected by and coming from other messaging systems.


For a Few Rupees More

While other regions are being affected by spammers gradually moving into WhatsApp, one country in particular has faced a massive influx on spammers moving onto the messaging app – for reasons that should have actually had no impact on WhatsApp. The country where WhatsApp spam seems the worse is India, and here it is increasing, bizarrely, due to government regulation.

In September 2011 the TRAI’s (Telecom Regulatory Authority of India) anti-spam regulations for SMS came into being for mobile operators in India. This enforced fines against mobile operators for every single incident of sms spam reported by subscribers. While it took some time for these regulations to be implemented, the results in the last few years have been widely successful. In one Indian Mobile Operator that AdaptiveMobile are actively filtering in, sms spam reported has dropped by nearly 97% in 2014 alone (see below), and over 99% since filtering was introduced, with a ‘steady state’ being indicated for the last 10 months. To give another comparison, a net result is that the background rate of spam actually sent and blocked – in another Indian operator AdaptiveMobile is active in – is now roughly around 0.12%. This is over 350 times lower than China, which reported a rate of about 45% spam as a percentage of all messages in 2014.

However this success seems to have led to spammers in India changing tactics, and in this case, one of those tactics is to switch to send spam via WhatsApp. First reported in early 2014, recent news reports from India indicate that while operators there confirm they are now winning the fight against SMS spam, spam sent over internet based messaging such as WhatsApp is a major new front of unsolicited messaging. The type of unsolicited messaging covers many different types of spam, but primarily tend to be a whole range of unsolicited advertisements, such as below:

Unsolicited WhatsApp advertising message sent to Indian users Unsolicited WhatsApp advertising message sent to Indian users

Economically, it is now very cost-efficient to send WhatsApp spam in India. One report explains that prices for WhatsApp advertising text messages bought in bulk are now as low as 0.21 Rupees (around 0.3 of a US or Euro cent), and not much higher for image messages. In fact, just browsing the internet you can find even lower deals, here you can see offers for advertising WhatsApp messages at 0.18 Rupees. It’s interesting that on the same website SMS costs for the equivalent bulk deal are 0.09 Rupees, meaning WhatsApp spam is still twice as expensive to send as SMS spam. This may not be the case for long – the price (of WhatsApp advertising) was much higher in the past and will probably continue to drop.

So what do you get for your extra 0.0015 dollars? Well for one its still more complicated for the spam provider to set up and send via WhatsApp, so those costs must be covered. But beyond that sending via WhatsApp allows advertisers using the ‘service’ to send longer messages, and images if required. However one main reason spammers are switching to send on WhatsApp is because they are exploiting a loophole in the anti-spam regulations. As an IP service, which users optionally sign up for, and not a ‘core telecom service’, WhatsApp is not covered by the Do-Not-Disturb requirements, leading to a thriving industry offering to send spam over WhatsApp. This fact is even pointed out by spammers spamming their services to those who which wish to advertise – see the example we have highlighted below – which clearly spells out the advantage of WhatsApp as being legally able to send to DND (do not disturb) numbers. Government intervention, it seems, has given a perfect reason for SMS spammers to move to WhatsApp in India.

WhatsApp message offering to send WhatsApp spam on behalf of a business as a form of advertising


Return to Sender

The source of these spam messages is also useful in our analysis. One of the benefits with WhatsApp is the cost of sending international messages is irrelevant, and so the source number can be from anywhere. The same is the case for WhatsApp spam, with investment spam originating from the US but being received in Europe, luxury goods spam originating from China and also being received in Europe, and porn spam originating from India but being received in the Middle East. If we dive deeper into the numbers used, we can also see evidence of a more complex spamming structure emerge.

From analysing the US numbers reported sending WhatsApp spam worldwide many of them belong to VoIP operators, meaning they can be assigned virtually. This is interesting as numbers that can be assigned virtually would be valuable for WhatsApp spam purposes, as in the case of WhatsApp account closures, spammers could simply use new VoIP virtual numbers to create and validate new accounts to continue sending WhatsApp spam. The use of VoIP numbers has been common in SMS Spam in the last 1 to 2 years in the US as ‘real’ numbers have become less attractive to send spam due to aggressive shutdowns. This reuse of the same methods from other messaging spam types – of using VoIP numbers – along with the same scams, means that the WhatsApp spammers are not ‘native’ spammers, but incoming groups who have operated on other types of messaging, and who come to WhatsApp with extensive experience.

What is WhatsApp to do? Well, recent updates from Germany draws some attention to how WhatsApp now deals with spammers, with temporary exclusions being put in place if users send to too many users who do not have them as their contacts, and have been blocked by too many people in a short period of time. Some of these techniques are innovative and useful – as they use the ‘reporting’ of blocked users to give a reputation, and also by using the contacts uploaded by WhatsApp users as a form of validation. The principle behind this is that if both parties in a conversation have each other as a contact, then they should be permitted to send to each other.

You are temporarily banned from WhatsApp message sent to WhatsApp spammers

Unfortunately though, there are failings. The above methods are behaviour based and may generate ‘false positives’ (senders flagged as spammers that are not) occasionally. For example, if someone lost their phone, received a new number, and sent a WhatsApp message to all their old contacts, they might trigger the above restriction. This would be why these restrictions lead to temporary blocking of the WhatsApp account, and not permanent. Optimisation of these restrictions to prevent false positives is likely to be a long-term effort. More seriously, at the moment it is not possible to actually report the spam message content to WhatsApp, nor can users restrict WhatsApp messages to be received from contacts only – in effect forming an allowed list of approved senders. This 2nd point of not introducing an allowed list is probably a deliberate design decision to ensure that new WhatsApp users can contact people within the App, without having to resort to SMS or other apps. In addition, one security feature that WhatsApp have already implemented – End to End encryption – rules out several of the methods that messaging systems use to deal with spam.

You Can Please Some of the People..

End-to-End encryption means that messages are encrypted in transit from one handset to another, without the WhatsApp servers routing the message or any other entity being capable of decrypting the messages in transit. While laudable, there are trade-offs based on this decision, and in this case it also means that spam filters within the WhatsApp servers cannot extract features from encrypted WhatsApp message content in order to apply anti-spam content logic on the messages. The discussion on the mix between end to end encryption and anti-spam was covered well in this conversation, and is well worth a look. The end result is that it is very difficult to do content filtering of WhatsApp messages on the server-side, preventing the use of many of the techniques used in unencrypted messaging systems. However this need not be a critical loss, its problematic, but as the E2E conversation states there might be ways to do some feature extraction at the client, although these are likely to be infeasible or untrustworthy. Long-term, promising methods like – homomorphic encryption – an encryption approach that allows operations on encrypted values without having to decrypt the value first, may offer WhatsApp the ability to filter the encrypted content at their servers. While great strides have been made recently in this, its still likely to take many years before its ready for widespread use.

For now though, WhatsApp (and any mobile based service) is still in a good position of having strong identity – namely phone numbers – on which it can base attribution, and all OTT messaging apps are in control of who has access or not. Plus it would be a mistake to think that WhatsApp is being ‘flooded’ by spam to the same extent of email. While only WhatsApp know the true level of spam in their ecosystem, there may be ways for us to gauge the exposure users have it, by using Google Trends. Below we have plotted a graph of searches in Google of the words “WhatsApp spam” v “SMS spam” from 2011 onwards. If one assumes the usefulness of Google Trends to infer what people search for to indicate that they have been affected (an assumption that has been proved problematic with Flu searches), then there are two ways to read this:

  • One, WhatsApp, with 700 million users, compared to the World’s 4.6 billion mobile phone users – all capable of receiving SMS – is generating proportionally more searches for spam than would be expected.
  • On the other hand, WhatsApp, with up to 30 billion messages being sent a day, versus SMS’s estimated 20 billion, is generating proportionally less searches for spam than would be expected.

Graph of the number of searches for SMS spam relative to searches for WhatsApp spam from January 2011 to January 2015

The truth of course, is probably somewhere in between. The fact the search terms are in English and the presence of peaks related to public events such as WhatsApp email-spam news articles means these trends must be taken cautiously. Trends like these are best if they are added to additional data but it’s clear even from the data we have that users at least are searching WhatsApp spam more frequently, and it’s on track to exceed the searches for SMS Spam by mid-summer 2016. This again indicates a shift in a spam ‘metric’ from SMS to WhatsApp. In any case the days of WhatsApp users assuming that they are immune from spam are drawing to an end, for the message is that as it becomes bigger, the more it is going to be a target for the spammers and criminals who have honed their skills on other, more established, messaging bearers.


Old Spammers Never Die…

For this discussion, we focused on WhatsApp, being the biggest OTT messaging App with a size of 700 million active monthly users, but we could have taken any of the main messaging Apps. The lesson is, that with a ‘pull’ factor of a growing user base, and with a ‘push’ factor of increased spam defences and (in some regions) government regulation on other bearers, the OTT messaging apps become more and more attractive to the established messaging criminal groups to ‘cross over’. Therefore these apps should be alert and prepared to implement the technologies and teams needed to deal with the threat before it has a chance to affect the service or users. For WhatsApp and others in 2015, the recommendation is to expect more ‘cross-overs’ from other messaging systems and build in security to stop them.

Related insights

Mobile World live webinar: Diary of a CISO

Watch Webinar Recording: Diary of a CISO – Building a Resilient Telecom Organization

Read more

Tags: MNO, Mobile Security

Storm-0539 Cybercrime Gang: Microsoft Alerts Companies of Gift Card Fraud From Moroccan Hackers

Read more

Tags: SMS, SMS scam

Infosecurity Magazine logo

Cyber-criminals Exploit Cloud Storage for SMS Phishing Scams

Read more

Tags: SMS scam

Enea in Mobile Europe

Cyber-criminals using AWS, Google and IBM services to steal data by SMS

Read more

Tags: SMS scam

Top Cloud Services Used for Malicious Website Redirects in SMS Scams

Read more

Tags: SMS, SMS scam