WhatsApp And Google Loophole Allow Anyone To Track WhatsApp Users' Usage Patterns

WhatsApp, broken

Data can come in many forms and types. But whatever the forms or the types, data is valuable for those who know what to do with it.

WhatsApp is one of the most popular messaging apps out there in the market. With more than 2 billion users, the tool has become one integral part of online communication.

While WhatsApp, and Facebook as the company that owns it, do patch bugs whenever they see them, there is one loophole that may not be easy to patch.

According to a research by cybersecurity firm Traced, anyone could track the online status of any WhatsApp user through third-party tracking apps.

Through the apps, one should only enter a target's mobile phone number, and let the apps do the rest.

These apps will notify them when their targets are online/offline, and can even generate full-blown reports of their app usage history based on this information.

As quoted by Traced on its findings:

"Cyberstalkers typically like to collect as much information about their target as possible. They want to know where they are at any given moment; who they’re meeting; who they’re talking to; what their texts say; who they’re emailing; what they’re browsing for online. Knowledge is power, and having this level of power over someone is intoxicating, dangerous and profoundly unethical."

"1 out of 3 women experience violence, and the majority of those cases are done by abusive partners or ex-partners. Those who stalk online are emotionally and psychologically abusive, and can become physically and sexually abusive down the road."

The loophole exists in the WhatsApp feature that allows others to see when someone comes online on the app.

Whenever a WhatsApp user opens the app or bring the app to the foreground, WhatsApp will show their status as 'Online'.

This indicator is public information, and can be used by anyone to build a service that watches out for this online status indicator.

WhatsApp doesn't let its users to disable unknown numbers from seeing their online status, meaning that there's nothing stopping anyone to prevent strangers from knowing when and for how long they use the app.

Even WhatsApp has made this clear on its FAQ page, saying that through "our privacy settings, you have the option to control who can see your last seen. Please note you can't hide your online."

Android stalkerware
Credit: Traced

Google doesn't allow cyberstalking apps on its Play Store, but many Android app developers managed to get around this ban by claiming that their apps can help parents track and monitor their children's online activity, location, messages and more.

While Google did say on its support page that the apps can be used by parents to track their children, Google says that the apps should not be used to track people without their consent, knowledge or permission.

This is why Google said that the apps must have a persistent notification displayed while data is being transmitted.

However, there is nothing that can stop someone who wants to track others through one of these apps.

Although the installation of software without the phone user’s consent or knowledge is actually against the law, it’s hardly enforceable.

This is why stalker apps can still thrive in the Google Play Store. Some even have a subscription model that unlocks more tracking/additional features.

Other than gaining the online status of any WhatsApp user and stalk them whenever they are online, which is certainly a privacy issue, this loophole is not leaking any sensitive data.

According to the researchers at Traced, the only way to prevent this from happening, is to either change the phone number, or use an alternative messaging app.

Further reading: The Use Of Spyware And Stalkerware Has Increased 51% Since Coronavirus Pandemic