CatchApp system can spy on WhatsApp encrypted communications from a backpack

The Israeli surveillance firm Wintego is offering for sale the system called CatchApp that is able to hack WhatsApp encrypted communications.

The Israeli surveillance firm Wintego is offering for sale a system that is able to hack WhatsApp encrypted communications from mobile devices within close proximity of a hidden Wi-Fi hacking device in a backpack.

The news has been reported by Forbes that obtained and published brochures of the system called CatchApp. According to the firm, CatchApp is able to intercept the WhatsApp traffic between the app and the WhatsApp server.

“Brochures leaked to FORBES, and published below, revealed a non-public offering from Haifa-based Wintego called CatchApp. It promises an “unprecedented capability” to break through WhatsApp encryption and grab everything from a target’s account.” reported Forbes.

“in theory the traffic is intercepted between the app and the WhatsApp server and somehow the encryption is decoded by the device, though that may not be possible with the latest upgrades to the software’s cryptography.” Forbes.

The Wintego brochure is no older than April 2015, the anonymous source who provided the documents to FORBES confirmed that the product works on the most current versions of WhatsApp.

The CatchApp feature can be delivered from Wintego’s WINT Cyber Data Extractor that fits into a backpack.

In reality, the WINT hacking device is a complete surveillance system that could allow attackers to extract the entire contents of the targets’ mobile device, including email accounts, chat sessions, social network profiles, detailed contact lists, calendars, photos, web browsing activity, files, and much more.

The WINT Cyber Data Extractor is able to overcome “the encryption and security measures of many web accounts and apps” to grab those credentials.

WINT accesses to a device by intercepting WiFi communications, even when they are attached to a private encrypted network. It is able to track multiple devices by using four separate Wi-Fi access points.

Security experts have some doubts about the real capabilities of the CatchApp, they consider impossible to break the end-to-end encryption implemented by the popular messaging system.

The popular expert Jonathan Zdziarski believes the CatchApp tech is exploiting security vulnerabilities in the Secure Sockets Layer (SSL) encryption.

“I suspect they’re taking advantage of a number of vulnerabilities in SSL implementations… many systems are susceptible to downgrade attacks and other types of MITMs.”

The popular cryptography expert Matthew Green hypothesized that CatchApp is malware designed to exploit WiFi connections as the attack vector in order to target WhatsApp, anyway, it cannot break WhatsApp cryptography.

“They would have to defeat both the encryption to and from the server and the end-to-end Signal encryption. That does not seem feasible at all, even with a Wi-Fi access point.” Matthew Green told FORBES.

“I would bet mundanely the password stuff is just plain phishing. You go to some site, it asks for your Google account, you type it in without looking closely at the address bar.”

“But the WhatsApp stuff manifestly should not be vulnerable like that. Interesting.”

Wintego is only one of the numerous highly-secretive surveillance firms that sell solutions that could be used to spy on victims, but that in the wrong hands could represent a serious threat for netizens.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CatchApp, WhatsApp)