Prime Minister David Cameron might hate WhatsApp and other apps of its ilk but spammers increasingly love it, sending a telling spike in spam over these services in late 2014, security firm AdaptiveMobile has discovered.
What the security firm has spotted is pretty small stuff by the standards of computer email or even conventional SMS spam, but it’s an important pointer to the future. As these services take over global messaging, as they undoubtedly will, the amount of spam reaching users on these services will rise.
AdaptiveMobile said it had noticed a small number of nuisance campaigns in recent weeks, including one reaching UK and Irish users in December that probably had a US origin. A particular hotspot was India, which had seen spammers migrate to OTT systems after filtering was successfully implemented on SMS networks.
The on-ramp for a lot of these campaigns are US-based VoIP providers, which use virtual numbers, the firm said. This meant that campaigns could in principle piggyback on global services to target users anywhere from anywhere, which also made them harder to trace.
WhatsApp's size and growth rates made it the main target.
“The total scale of these individual spam attacks over WhatsApp is hard to tell, but if anything, it does seem clear that WhatsApp is joining the ranks of messaging systems which now have a functioning and active spam ecosystem,” said AdaptiveMobile's research note.
The problem faced by apps such as WhatsApp and others is that the end-to-end encryption they now use to secure messages – the bit that Camerson and the UK security services don’t like because it makes surveillance harder – is also the reason they can’t filter messages for abuse. Filtering must be done at the client side and becomes the user's problem.
That means that the services must employ technology to identify rogue accounts, shutting them down as they are spotted.
“The days of WhatsApp users assuming that they are immune from spam are drawing to an end,” said Adaptive. “As it becomes bigger, the more it is going to be a target for the spammers and criminals who have honed their skills on other, more established, messaging bearers.”