State-sponsored attack scenario on WhatsApp


Under the umbrella of surveillance programs and lawful interception, espionage systems are built and operated around the world. Such systems are mainly composed of three components: 1) Exploit delivery, 2) Exploitation, and 3) Data storage and retrieval. A large number of state-sponsored attacks have been uncovered recently by a number of whistleblowers and hacking groups [1, 2, 3, 8]. These types of attacks are characterized by sophisticated exploitation techniques and the use of zero-day vulnerabilities. When remote exploitation is not feasible, exploit delivery is needed. In this article, we cover a recent technique, known as man-on-the-side (MOTS), for exploit delivery. We then describe an attack scenario on WhatsApp, and show how would the recently discovered DirtyCow vulnerability [4] be used to steal WhatsApp conversations without requiring elevated privilege or root access on the target device.

Man-on-the-side (MOTS) Attacks

MOTS is a variation of the man-in-the-middle (MITM) attack, where the attacker does not necessarily need to be in the middle. The attacker is required to be sitting at a privileged position on the Internet’s backbone, passively intercepting traffic. This could be done via partnership with telecom companies. In a DNS based MOST scenario, the attacker would be intercepting the DNS traffic. Upon capturing a DNS request from the target, the attacker replies back with a fake DNS reply on behalf of the legitimate DNS server (figure 1). This race condition exploited by the attacker is the essence of MOTS. A number of attacks can be performed by means of MOTS. We list the main ones:

  1. Traffic redirection

    • The target could be automatically redirected to a fake web server that claims to be the real one (figure 1). While this might be less used, it can still be considered as a valid scenario.

Figure 1. DNS based MOTS attack.

  1. Cookie injection

    • The target could be redirected to an attacker-controlled proxy server which relays the traffic on his behalf, and injects a HTTP cookie in the server reply (figure 2). The injected cookie will then be used by the user for all subsequent requests. This could be useful to uncover anonymous identities on the TOR network.

Figure 2. HTTP cookie injection via MOTS.

  1. JavaScript injection (figure 3)

    • This could be used to launch Distributed Denial of Service (DDOS) attacks. A large DDOS attack was launched from China on 26 March, 2015, to take down Github services [5]. It worked by injecting JavaScript code in the response of Baidu Analitics script; causing the browser to continuously request pages on

    • This could also be used to prompt for malware download or exploit specific browser and operating system zero-day vulnerabilities on the target machine.

Figure 3. JavaScript injection with MOTS.

  1. Malware delivery

    • The malware delivery mechanism depicted in figure 4 is better be called Malware-On-Demand (MOD). The process can be summarized as follow:

      1. The target requests a file for download.
      2. The request is intercepted by the attacker.
      3. The file is downloaded on behalf of the target.
      4. On-the-fly malware infection is performed.
      5. The injected file is returned back to the target.

MOD systems can target multiple platforms with support of different executable types (EXE, APK, IPA, etc…). The main targets are un-encrypted and unofficial third party repositories of software and mobile apps (e.g., Mobogenie [7]).

Figure 4. Malware on demand (MOD).

Exploiting WhastApp on Android with DirtyCow

The malware-on-demand (MOD) mechanism discussed previously allows delivering malicious applications to android based mobile phones. Once installed and run, these malicious apps could exploit zero-day vulnerabilities, which would allow them to perform privilege escalation (e.g., gain root access) and execute arbitrary code on the device. Under normal circumstances, the target user would be unaware of the malicious activities taking place on his device, since everything will be running in background. In this section we discuss how would a malicious application exploiting the DirtyCow vulnerability [4] be able to steal all WhatsApp conversations from a target device, even without gaining root access.

DirtyCow is a Linux vulnerability inherited by Android. It is caused by a race condition in the implementation of the copy-on-write mechanism in the kernel memory management subsystem. In other words, it can be used to overwrite read-only files. While it can be easily exploited to gain root access on an unpatched Linux system, it remains a bit tricky on Android. In our proposed scenario, no root is needed to steal WhatsApp conversations from the target device. Whatsapp stores these conversations in a SQLite database on the internal device storage. Because this storage can be accessible by all other applications, Whatsapp encrypts the database using a key file stored in its home directory. Only WhatsApp has access to the key file, meaning that only WhatsApp is able to decrypt the database holding the conversations. The proposed idea is to exploit the DirtyCow vulnerability in order to overwrite the WhatsApp APK with a new version that would be used to dump the encryption key file to the internal memory storage (figure 5). The malicious app will then be able to collect the key and the database (msgstore.db) from the memory storage and send them to an attacker-controlled server. Or instead, the conversations could be decrypted on the device and sent as plain-text to the attacker. This attack scenario is depicted in figure 5.

Figure 5. WhatsApp exploitation scenario via malicious APK equipped with DirtyCow [4].


[1] Cayford, M., van Gulijk, C., & van Gelder, P. H. A. J. M. (2015). All swept up: An initial classification of NSA surveillance technology.

[2] van der Vlist, F. N. (2017). Counter-Mapping Surveillance: A Critical Cartography of Mass Surveillance Technology After Snowden. Surveillance & Society, 15(1), 137.

[3] WikiLeaks, (2017). Vault 7: CIA Hacking Tools Revealed,

[4] Dirty copy-on-write vulnerability. (2016). DirtyCow,

[5] Hjelmvik, E., (2015). China’s Man-on-the-Side Attack on GitHub. NETRESEC,

[6] Schneier, B., (2013). Attacking Tor: How the NSA Targets Users’ Online Anonymity. The Guardian,

[7] Mobogenie Market for Android,

[8] Hern, A., (2015). Hacking Team hacked: firm sold spying tools to repressive regimes, documents claim,

One thought on “State-sponsored attack scenario on WhatsApp”

Leave a Reply

Your email address will not be published. Required fields are marked *