There is a method that enables attackers to take over a victim’s WhatsApp account and view their contact list and private conversations.

The technique depends on WhatsApp’s ability to provide a one-time password (OTP) verification code through voice call and the automatic call forwarding services offered by cell carriers.

Utilizing the MMI code

The founder and CEO of the digital risk management firm CloudSEK, Rahul Sasi, tweeted some information about the technique and claimed that it is used to hack WhatsApp accounts.

Testing by BleepingComputer revealed that the approach is effective, despite a few drawbacks that a determined attacker may get over.

A victim’s WhatsApp account may be hacked in a matter of minutes, but the attacker must have the victim’s phone number and be ready to use some social engineering.

According to Sasi, an attacker must first persuade the target to dial a number that begins with an MMI code that the mobile carrier put up to facilitate call forwarding.

Depending on the carrier, a separate MMI code may redirect calls to a terminal to another number whenever the line is busy or there is no reception, or only when the line is congested.

These codes begin with the symbols star (*) or hash (#). They are widely available, and according to our research, they are supported by all of the main mobile network carriers.

The MMI code in before of the 10-digit number instructs the mobile carrier to divert all calls to the phone number supplied after it while the victim’s line is busy, according to the researcher, who claims that the 10-digit number belongs to the attacker.

The attacker starts the WhatsApp registration process on the victim’s smartphone after deceiving them into forwarding calls to their number, selecting the option to get the OTP via voice call.

Once they have the OTP code, the attacker can set up two-factor authentication (2FA) for the victim’s WhatsApp account on their smartphone, preventing the account’s rightful owners from regaining access.

A few warnings

Although the technique appears straightforward, as BleepingComputer discovered through testing, getting it to function takes a bit more work.

First, the attacker must utilise an MMI code that sends all calls, independent of the status of the target device (unconditionally). For instance, call waiting may result in the hijack failing if the MMI only sends calls when a line is busy.

The target device also got text messages during testing from BleepingComputer telling it that WhatsApp was registered on another device.

If the attacker additionally uses social engineering and engages the victim in a phone conversation for just long enough for them to hear the WhatsApp OTP code via voice, users could not notice this warning.

A minor annoyance that can necessitate additional social engineering is that the attacker must use a different phone number than the one used for the redirection if call forwarding has already been enabled on the victim device.

The mobile operators’ activation of call forwarding leaves the target user with the clearest indication of suspicious activity because a warning is displayed on the screen upon activation and doesn’t go away until the user acknowledges it.

Threat actors still stand a decent chance of succeeding despite this prominent warning as the majority of consumers are unfamiliar with the MMI codes or the mobile phone settings that prohibit call forwarding.

Despite these barriers, dishonest individuals who are skilled at social engineering can create a scenario that enables them to keep the victim occupied on the phone until they obtain the OTP code for setting up the victim’s WhatsApp account on their device.

Using cell services from Verizon and Vodafone, BleepingComputer examined this technique and came to the conclusion that an attacker with a convincing scenario is likely to hijack WhatsApp accounts.

According to publicly available data, Sasi’s tweet refers to the cell providers Jio and Airtel, both of which had more over 400 million subscribers as of December 2020.

It’s simple to defend against this kind of assault by using WhatsApp’s two-factor authentication feature. Every time you register a phone with the messaging app, this function requires a PIN, preventing fraudulent users from taking over the account.