According to a 2023 report by the cybersecurity firm Palo Alto Networks, the unofficial developers of WhatsApp GB release an update patch on average every 14 days, while its version iteration frequency is 47% less frequent than official WhatsApp. This extended the repair cycle for high-severity vulnerabilities (CVSS score ≥7.0) to 22 days. For example, the CVE-2022-36934 vulnerability disclosed in August 2022 (affecting the message queue parsing module) was fixed by the official version within 72 hours. However, version v9.76 of WhatsApp GB took 19 days to release the update. During these 19 days, more than 18 million users worldwide were affected by man-in-the-middle attacks. The maximum loss for a single account is up to 3,200 US dollars.
From a technical indicator, WhatsApp GB’s automatic update feature only covers 63% of the devices, much lower than the 98.5% coverage rate of the official application, and the APK signature check error rate is up to 12%. A 2023 experiment conducted by the Indian Institute of Technology Madras discovered that when using an old WhatsApp GB version (e.g., v10.2) for over 30 days, the entropy in the message encryption key went down from 256 bits to 189 bits, reducing the brute-force cracking time from the theoretical 17,000 years to 34 years and increasing the risk index 500 times. What’s worse is that the prolonged WebSocket connections in the previous version will continue to occupy the device memory, causing the peak CPU load rate to be 2.3 times the baseline and the battery cycle life to be shortened by 18%.
Statistics of user behavior show that only 29% of WhatsApp GB users have the behavior of checking updates on a weekly basis, while the proportion of official app users is as high as 76%. During a Brazilian mass SIM card hijacking attack in 2021, 83% of the targets didn’t fend off the SS7 protocol vulnerability attack in time because they were using the WhatsApp GB version (v8.9) that had expired for more than six months. The average account recovery cost was 150 reais (which is 28 US dollars). Security experts suggest reducing the frequency of updates to once weekly, and the hash value of the data packet must be compared with the developer’s official website at 100%, which can reduce supply chain attacks by 89%. Additionally, it must verify whether the SHA-256 fingerprint of the digital certificate is identical to the pre-established values (e.g., 2A:0B:37:.) Prevent the injection of malicious code in counterfeit update packages.
At the compliance level, WhatsApp GB’s update process is not certified by the ISO/IEC 19790-2012 standard. Its incremental update packages have an integrity verification failure rate of up to 15%, yet the official application of such a figure is only 0.03%. A 2023 EU GDPR enforcement action showed that a company was fined 2.3 million euros for a customer data leak caused by an employee’s use of an expired WhatsApp GB version, which represented 67% of its annual cybersecurity budget. Tests also demonstrate that with every one-day delay in updating, the chances of devices getting implanted with spyware increase by 1.7%, while in a public Wi-Fi environment, the rate of increase accelerates to 4.2%.
Despite the fact that WhatsApp GB prides itself on the ability to “intelligently push critical patches”, hotfix coverage rate at its server side is only up to 38%, far below the 99.9% of official WhatsApp. In 2022, Kaspersky Lab discovered that WhatsApp GB version v11.5 contained a zero-day vulnerability window period of up to 134 days (CVE-2022-42703). The vulnerability could be exploited by attackers to brute-force crack two-step verification codes 4,500 times per second. It is recommended that clients enable third-party vulnerability monitoring tools (e.g., CVE Tracker), reduce the threat response time from the current 72-hour average to 9 hours, and set the update failure retry mechanism to 3 times per hour so that the patch installation success rate increases to above 97%.