[closed] How can I spy on someones WhatsApp account without physical access to the phone?

1
1

Hey hackers!

I suspect my other half to play around and the WhatsApp is the used murder weapon in this case. Any help will be appreaciated.

Maybe can you recommend some good trojan or hidden (running in the background) FTP/SSH server application for android? In such case it would be possible to copy just the WhatsApp backup files which can be easily read on the PC with the Whatsapp_Xtract.

Important information:

  1. I have no physical access to the device (WiFi sniffing is also not going to work in this case),
  2. I know the victim's IP address.

Just to encourage you to provide the best answers - according to Mt.Gox today:

0.299 BTC ~= $3.01 ~= 2.4€ :)

Thanks in advance for your answers!

asked 24 Aug '12, 19:56 Znany 391118 Znany's gravatar image
closed 03 Sep '12, 15:30

So far I've received 3 answers:

  • one of them requires an access to the WiFi network of the victim (impossible in the presented case)
  • another solution is the rooting of the victim's phone - it requires a temporary access to the victim's device, the process may be complicated (or even time-consuming) for the person without any experience in this matter. Definately, the same can be obtained with the hidden background-working SSH/FTP server. Do you know something like this?
  • the last answer doesn't provide any solution, just suggests some useful hints.

...I keep waiting for more answers.

(27 Aug '12, 15:27) Znany Znany's gravatar image

hi @Znany, do you like some answer?

(01 Sep '12, 21:51) paraipan paraipan's gravatar image

The question has been closed for the following reason "Caffeinewriter won 349.00 mBTC for the best answer." by Znany 03 Sep '12, 15:30


For the record, this activity is prohibited by numerous laws, as is any "wiretapping" or similar activities without the consent of the user. Second of all, the following information is for informational purposes only.

These quotes from Wikipedia may help:

WhatsApp uses a customized version of the open standard Extensible Messaging and Presence Protocol (XMPP). Upon installation, it creates a user account using one's phone number as username (Jabber ID: [phone number]@s.whatsapp.net) and an MD5-hashed, reversed-version of the phone's IMEI as password.

Until August 2012, Messages were sent in unencrypted plain-text format, making the system vulnerable to session hijacking. As of 15 August 2012, the WhatsApp Support Staff claims messages are encrypted in the "latest version" of the WhatsApp software, without specifying the implemented cryptographic method.

WhatsApp synchronizes with the phone's address book, so users do not need to add contacts in a separate book. Since all users are registered with their phone number, the software returns all WhatsApp users among one's contacts.

And

In May 2011 there was a security hole reported in WhatsApp which left user accounts open for hijacking. According to some sources, it is believed that this hack was performed, and later fixed by helping WhatsApp reproduce it on Android and Symbian, by Liroy van Hoewijk, CEO of CoreISP.net.

Since May 2011 it has been reported that communications made by WhatsApp are not encrypted, and data is sent and received in plaintext, meaning messages can easily be read if packet traces are available. In May of 2012 security researchers noted that new updates of WhatsApp no longer sent messages as plaintext.

In September 2011 a new version of the WhatsApp Messenger application for iPhones was released. In this new version, the developer has closed a number of critical security holes that allowed forged messages to be sent and messages from any WhatsApp user to be read.

On January 6, 2012 an unknown hacker published a website (WhatsAppStatus.net) which made it possible to change the status of an arbitrary whatsapp user, as long as the phone number was known. To let it work it only required a restart of the app. According to the hacker it is only one of the many security issues in Whatsapp. On January 9, Whatsapp reported to have implemented a final solution. In reality the only measure that was taken was blocking the website's IP-address. As a reaction a Windows tool was made available for download providing the same functionality. This issue has not been resolved until now. The first notification of this issue was received by Whatsapp in September 2011.

On January 13, 2012, Whatsapp was pulled from the iOS App Store. The reason was undisclosed. The app was added back to the App Store 4 days later.

Solution:

DISCLAIMER: This is for informational purposes only! I am in no way responsible for the way you use this information! According to Federal Law, this is illegal! Don't do it!

The best way to get your hands on their file is to social engineer them. Convince them to download something like an FTP Server. (Not sure if this works on the whole phone filesystem, but I'm sure there's one) What you can do is give them a reason to. One way you could convince them is to every so often, use a DOS or DDOS if you can against their IP address, (it may change as many IP addresses are now dynamic) and convince them that it's a problem you can fix by helping them remotely. Or even better, get actual physical access to their phone. It's even better if you have the same service provider/phone model that they have. Here's a sample conversation.

You: Hey, have you been having trouble with your phone connection?

Them: Yeah! It's really weird!

You: I figured out that it's a problem with the firmware. I fixed it on mine.

Them: Really!? Could you help me out?

You: Sure! I just need to borrow your phone for a little bit.

Them: Okay!

That's just hypothetical, but something along those lines can help. Another way you could do that is use TeamViewer while their phone is connected to their computer. It's just hypothetical again, and also still illegal. So this is still just information.

Reference sites:

http://whatsappspysoftware.com/

http://www.androidcenterapk.info/2012/05/download-whatsappsniffer-v103-apk.html

http://hexus.net/mobile/news/general/38813-whatsapp-chat-spying-theres-app-that/

http://en.wikipedia.org/wiki/WhatsApp

link
answered 26 Aug '12, 00:44 Caffeinewr... 7126 Caffeinewriter's gravatar image
edited 27 Aug '12, 19:06

Good tips, thanks! However I'm not planning to develop my own tool, I'm lazy and I'm looking for the ready solution;)

... it creates a user account using one's phone number as username (Jabber ID: [phone number]@s.whatsapp.net) and an MD5-hashed, reversed-version of the phone's IMEI as password.

So, now it's just enough to know the victim's IMEI number and try to connect to Jabber's network using any PC-client application?

(26 Aug '12, 11:31) Znany Znany's gravatar image

lol, obvious solution is obvious :)

(26 Aug '12, 13:06) paraipan paraipan's gravatar image

Well the reason it's so hard is because it's designed to be secure, albeit it's not really all that secure, which is why there are some tools to get WhatsApp messages. It's especially difficult when you don't have physical access to the phone and it's not on the same Wifi network, but it theoretically is possible.

However, if you ever do have physical access, to obtain the IMEI just open up the dialpad section of the phone and enter *#06#

That will display the IMEI on any phone. You may or may not have to hit send.

(26 Aug '12, 13:12) Caffeinewr... Caffeinewriter's gravatar image

It can be a nice path to explore, however according to this nice blog note on the WhatsApp and Jabbler:

And even if, by whatever means, you get two working connections for one WhatsApp account/number, their servers will be able to detect it and maybe kick you out for good, leaving you with the alternatives that you probably tried to avoid in the first place.

So such connection can block the application on the original device.

(26 Aug '12, 19:36) Znany Znany's gravatar image

Nevertheless, I found also a nice PHP/Python API for the further plays with WhatsApp. At least it can generate your Jabber password from the given IMEI number. Even though, I'm still waiting for the better solutions of the presented hacking problem.

(26 Aug '12, 19:39) Znany Znany's gravatar image

Your answer seems to be the most useful so far, take these 50mBTC of the tip:)

(27 Aug '12, 15:29) Znany Znany's gravatar image

I added a potential (illegal) solution for informational purposes on how it could work. :) Hope that helps out some more ^_^

(27 Aug '12, 19:06) Caffeinewr... Caffeinewriter's gravatar image

Do you need any more suggestions on how to obtain the chat logs?

(28 Aug '12, 19:14) Caffeinewr... Caffeinewriter's gravatar image

I like your solution, the social technique is not so bad idea. However, in this case every popular FTP/SSH server signalize its presence by the icon visible in the tasks tray. The only element that is missing is the application that will keep working in the background without showing that it's active. But as you mentioned - this method is very, very illegal:P [that's why I like it the most, thanks:P]

(29 Aug '12, 16:37) Znany Znany's gravatar image
showing 5 of 9 show all

WhatsAppSniffer should dot the trick, her is a link: http://www.androidcenterapk.info/2012/05/download-whatsappsniffer-v103-apk.html

link
answered 25 Aug '12, 13:46 EwoudSurmont 192 EwoudSurmont's gravatar image

As I wrote "WiFi sniffing is also not going to work in this case". Sorry, but Whatsapp Sniffer assumes that the victim is in the same WiFi network as the sniffer, so it cannot be used in this case.

(26 Aug '12, 11:26) Znany Znany's gravatar image

You cannot do that without a rooted phone. If you want help rooting it, feel free to post your phone's brand and model ! I will be pleased to help you !

link
answered 25 Aug '12, 23:51 Claydelas 111 Claydelas's gravatar image

So you suggest that if a victim has a rooted phone, it's possible to get a remote access to it?

(26 Aug '12, 11:27) Znany Znany's gravatar image

Yes. I beleave that the files are stored on the root/data/ folder.(I am not sure that this is the right location, i unrooted my phone a while ago.)

(26 Aug '12, 12:17) Claydelas Claydelas's gravatar image

But anyway - it requires some temporal access to the device to root it. I guess that then you can install a kind of ssh server that will let you to browse the files, am I right?

(26 Aug '12, 19:19) Znany Znany's gravatar image

It is a long shot, but if you know their IP you can try running Nessus, Nexpose, or OpenVAS to see if it finds any open vulnerabilities. I searched Metasploit's exploits and couldn't find any exploit specific for WhatsApp.

If you really enjoy pentesting look at Backtrack 5 and the Metasploit framework.

edit to add: Spear Phishing is the correct spelling for below. They also make Vulnerability scanners and Metasploit for windows if you are crammed for time. Nessus and Metasploit are also available in Windows.

link
answered 29 Aug '12, 17:51 jenniferpi... 1625 jenniferpippin's gravatar image
edited 29 Aug '12, 20:00

Metasploit has Android specific payloads. You can also look into spearfishing, Sending an e-mail that will direct to a website with the malicious payload. If you get Backtrack 5, The Social Engineering Toolkit. This has stuff on cloning websites and stuff. Pentesting is an art, Rare when you can tell somebody over the phone how to do a death punch.

(29 Aug '12, 18:04) jenniferpi... jenniferpippin's gravatar image

Look at this site: http://0x80.org/blog/?p=652 Just sniff the packages from his network. If you need more information, just ask.

link
answered 30 Aug '12, 16:52 Numb3rs 112 Numb3rs's gravatar image

Typically to perform a MITM attack, you need to be on the same network as the user. He stated that using Wifi sniffing is not feasible for him.

(31 Aug '12, 20:47) Caffeinewr... Caffeinewriter's gravatar image

Exactly - this solution won't work for me. But this script can be a real fun when you run it in some public network, like in the library, a restaurant or in the hotel:)

(03 Sep '12, 12:31) Znany Znany's gravatar image

New program found. FinFisher. See if you can find a copy of it. You have to put the FinSpy payload on the users phone. It can infect Iphones and Androids. You can infect the targets phone and record everything with an text message saying the user needs to install a new app (FinSpy).

Originally made for Law Enforcement, It is loose now. http://www.finfisher.com/FinFisher/en/index.php

link
answered 02 Sep '12, 08:20 jenniferpi... 1625 jenniferpippin's gravatar image
edited 02 Sep '12, 08:22

It's a bit complicated to find an Android apk and whole the tool for this program. If you provide some useful links, I'll reward you amply with the bitcoin tips:)

(03 Sep '12, 13:24) Znany Znany's gravatar image

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×21
×9
×5
×3
×2

Asked: 24 Aug '12, 19:56

Seen: 238,818 times

Last updated: 27 Oct '12, 18:34



Bitcoin forums:
Bitcointalk.org
p2p Bitcoin forum
Bitcoinforum.com

Blogs and press:
elBitcoin.org (ES)
Que es bitcoin.info (ES)
bitcoinInformant.com
bitcoinmagazine.net

Partners:
Bitcoinerr.com
ogrr.com
The Unoff. Bitcoin Forum