WhatsApp users are now under threat from the same kind of “text bomb” message that recently plagued iMessage users. Strings of strange characters that not only make no sense to users but confuse WhatApp itself. Just as with iMessage, the issue is that the app’s failure to render the message will lead to a crash. The much more serious issue here, though, is that once a user has opened a message it might send the app into a crash each time it’s opened. And that could mean a user needing to delete and reinstall the app.
This latest threat was reported by WhatsApp watcher WABetaInfo on Sunday, “there isn’t a general way to describe this,” the site warned, “so we prefer to call them ‘Scary Messages’. Scary Messages are very dangerous, and they can destruct your experience in WhatsApp.” According to the site, the issue has been especially prominent in Brazil but is not getting wider traction.
-Anti crash integrated into official WhatsApp: There are messages designed to freeze or crash your WhatsApp. Then there are modded WhatsApp versions that have a “Crashcode protection” like a bigger Unicode database. We need this integrated into the official application. pic.twitter.com/bpyWtFUwQO
— Ian (@Ian_Oli_01) August 15, 2020
The other angle to this attack is the forwarding of corrupted VCFs—contact files with multiple contacts, some of whom again have long names filled with alien characters. WhatsApp is rolling out a fix, and has said in a statement that “it has released and already begun rolling out a patch that addresses this in its latest iOS software update,” adding that “we strongly encourage users to keep their WhatsApp app and mobile operating system up to date and download updates whenever they’re available.”
This specific issue isn’t new—WABetaInfo says that such attacks can be traced back as far as three years. But there was a WhatsApp Killer Message-warning from the security researchers at Check Point late last year, which should have altered the platform to taking action across its various apps to deal with this kind of attack.
As then, part of the mitigating advice now—in addition to ensuring you update your app—is to limit those who can add you to groups to contacts only. The issue raised by Check Point was the use of groups as an attack vector to share corrupted messages with targets.
It seems that different attack messages are designed for different platforms—Android and iOS. If you see a message come through, without opening it of course, block the contact using WhatsApp’s web app and remove the message—do not do this within your smartphone app as you’ll risk the crash. If that doesn’t work, perhaps because you’ve already knocked WhatsApp into a crash loop, then you will have to reinstall the app and restore you message history from a backup.
So—keep an eye out for messages from new contacts and don’t open them, change your group settings right away, and make sure you have your message history backed up—even though messages backed to the cloud do not have the same level of end-to-end encryption as used by the app.
