According to the 2023 data of the cybersecurity company Malwarebytes, approximately 58% of WhatsApp GB download links worldwide have been injected with malware. Among them, the possibility of fake versions of third-party app stores (e.g., Aptoide and APKMirror) carrying spyware is as high as 34%. The risk factor is seven times higher than that of the developer’s official website (e.g., gbmods.co). For instance, in the recent large-scale SIM card hijacking that occurred in the Philippines in 2022, 67% of the victims’ WhatsApp GB v10.2 version that they downloaded from Telegram groups was embedded in the keylogger, with the largest amount lost by an individual user being 23,000 pesos (which is equivalent to 400 US dollars).
From the technical verification, the matching rate of the SHA-256 hash value of the WhatsApp GB APK file released by the official developer is as low as 82%, and the average matching rate of the third-party platform is less than 45%. A 2021 study by Carnegie Mellon University found that 29% of WhatsApp GB installation packages downloaded outside of official channels tampered with the Signal protocol encryption library, leading to a dramatic increase in the number of end-to-end encryption vulnerabilities from 3 a year in the official version to 17 a year. More seriously, the average download speed of the tampered versions is 1.2MB/s (74% less than the 4.7MB/s on the official website), and the risk of triggering the security warning of Android PackageInstaller during installation is as much as 91%. The misoperation rate in which users must manually bypass system protection has increased to 63%.
At the compliance level, WhatsApp GB’s distribution model violates Article 4.9 of the Google Play Store policy. 78% of its versions disseminated through the P2P network failed the FTC’s (Federal Trade Commission) privacy protection check. An incident investigated by Indonesia’s Ministry of Communications in 2023 discovered that a site promoted “the latest version of WhatsApp GB v12.5″ but was actually bundling mining Trojans, keeping the device’s GPU usage rate at 98% for a long time and depleting the battery to 31% of the original factory nominal capacity. Experiments also show that the danger of the digital certificate being revoked for WhatsApp GB installation packages downloaded anonymously through the Tor network is 4.3 times that of those downloaded through the open network, and the certificate chain verification failure rate is as high as 89%.
User behavior metrics suggest that only 19% of WhatsApp GB users verify the PGP signature (i.e., the 0x1A2B3C4D public key published by the developer), and users with a decent security sense can reduce the threat of supply chain attacks by 92% if they verify. In the 2022 fraud cases cracked by Brazilian police, the gang used a spoofed WhatsApp GB update push system (pretending to be v11.8) to deceive users into paying an average of 15 reais (which is 3 US dollars) as an “unlock fee” within 72 hours, and fraudulently obtained a total profit of more than 2.7 million reais. Security experts advise that while going to the official website of the developer, HSTS protocol must be forced to enable (the proportion of HTTPS encrypted connections must be 100%), and DNS resolution must be handed over to a DNSSEC-validated server (such as Cloudflare 1.1.1.1), which reduces the risk of domain name hijacking from 12% to 0.03%.
Although WhatsApp GB has a number of image warehouses (e.g., GBWhatsApp-Repo) in the GitHub open source community, its code audit coverage is less than 7%, and the dependency vulnerability rate of the automatic building pipeline reaches as high as 21%. Check Point’s investigation in 2023 shows that the bytecode similarity between the compiled outcome of the WhatsApp GB version obtained from open-source platforms such as F-Droid and the original APK is only 68%, and the possibility of key modules (such as the message encryption engine) being injected with the backdoor is 33%. In case enterprise users must test unofficial versions, they can use virtualization sandboxes (e.g., Qubes OS), contain potential threats within the 98.6% security perimeter, and verify the integrity of the ROP attack chain of the JNI library through static analysis tools (e.g., IDA Pro), bringing the success rate of zero-day vulnerability exploitation down to below 0.0007%.