There is a method that enables attackers to take over a victim’s WhatsApp account and view their contact list and private conversations.

The technique depends on WhatsApp’s ability to provide a one-time password (OTP) verification code through voice call and the automated call forwarding services offered by mobile carriers.

Utilizing the MMI code
The founder and CEO of the digital risk management firm CloudSEK, Rahul Sasi, tweeted some information about the technique and claimed that it is used to hack WhatsApp accounts.

Testing by BleepingComputer revealed that the approach is effective, despite a few drawbacks that a determined attacker may get over.

A victim’s WhatsApp account can be hacked in a matter of minutes, but the attacker must have the victim’s phone number and be ready to use some social engineering.

According to Sasi, an attacker must first persuade the target to call a number that begins with an MMI code that the mobile carrier set up to facilitate call forwarding.

Depending on the carrier, a different MMI code may redirect calls to a terminal to another number whenever the line is busy or there is no reception, or only when the line is congested.

These codes begin with the symbols star (*) or hash (#). They are widely available, and according to our research, they are supported by all of the main mobile network operators.

The MMI code in front of the 10-digit number instructs the mobile carrier to divert all calls to the phone number supplied after it while the victim’s line is busy, according to the researcher, who claims that the 10-digit number belongs to the attacker.

The attacker starts the WhatsApp registration process on the victim’s device after deceiving them into forwarding calls to their number, selecting the option to get the OTP via voice call.

Once they have the OTP code, the attacker can set up two-factor authentication (2FA) for the victim’s WhatsApp account on their smartphone, preventing the account’s rightful owners from regaining access.

a few warnings
Although the technique appears straightforward, as BleepingComputer discovered through testing, getting it to function takes a little more work.

First, the attacker must utilise an MMI code that sends all calls, independent of the condition of the target device (unconditionally). For instance, call waiting may result in the hijack failing if the MMI only forwards calls when a line is busy.

The target device also received text messages during testing from BleepingComputer telling it that WhatsApp was registered on another device.

If the attacker also uses social engineering and engages the target in a phone call for just long enough for them to hear the WhatsApp OTP code over voice, users could not notice this warning.

A minor annoyance that can necessitate more social engineering is that the attacker must use a different phone number than the one used for the redirection if call forwarding has already been enabled on the victim device.

The mobile operators’ activation of call forwarding leaves the target user with the clearest indication of suspicious activity because a warning is displayed on the screen upon activation and doesn’t go away until the user acknowledges it.

Threat actors still stand a decent chance of succeeding despite this prominent warning since the majority of users are unfamiliar with the MMI codes or the mobile phone settings that prohibit call forwarding.

Despite these barriers, dishonest individuals who are skilled at social engineering can create a scenario that enables them to keep the victim occupied on the phone until they obtain the OTP code for setting up the victim’s WhatsApp account on their device.

Using mobile services from Verizon and Vodafone, BleepingComputer examined this technique and came to the conclusion that an attacker with a convincing scenario is likely to hijack WhatsApp accounts.

According to publicly available data, Sasi’s post refers to the cell providers Jio and Airtel, each of which had more than 400 million subscribers as of December 2020.

It’s simple to defend against this kind of assault by enabling WhatsApp’s two-factor authentication feature. Every time you register a phone with the messaging app, this function requires a PIN, preventing fraudulent users from taking over the account.