Malware, Scams, and Fixes: WhatsApp Web Privacy Essentials

18 Mins Read

PUREVPNPureVPN UpdatesMalware, Scams, and Fixes: WhatsApp Web Privacy Essentials

Since its inception, WhatsApp has been a contender on the instant messaging market. With each update, it seems the app has been able to cater more intricately to its customers’ needs. This is one of the primary reasons why more than 1.5 billion people around the world rely on the app for communication purposes. WhatsApp Web made it easy for users to use their WhatsApp accounts on their PCs easily. Even though it was initially introduced as a smartphone app.

Throughout the years, we’ve witnessed WhatsApp set precedent after precedent with its acute attention to user needs. Parallelly, it has offered users secure communication. The latter part was evident when the service introduced end-to-end encryption. For laymen, end-to-end encryption ensures that the message sent is only accessible by the sender and the receiver. No other entity, not even WhatsApp itself, retains any backdoor to communications secured via this method.

But despite some of these thorough mechanisms, lapses in WhatsApp’s security and privacy are a regular occurrence. To their credit, WhatsApp has usually responded to these lapses in time and has plugged any holes. However, with each passing lapse, the privacy concerns of its users become more and more preeminent.

Modern Times, Old Problems

In 2019, it was discovered that thousands of WhatsApp chat groups and links to join them were visible on Google’s SERPs. Forget the complicated mechanisms to infiltrate these groups, all it took was a simple Google search to access these groups. This was despite the end-to-end encryption in place, as well as several other security measures.

As one cybersecurity expert pointed out, the problem with a communication giant like WhatsApp is that there are thousands of underlying privacy issues that have yet to be discovered. The natural conclusion to this is that there’s no real way of knowing how secure and how insecure a user is on WhatsApp. This is despite the service’s bold claims to the contrary.

So, the purpose of this guide is to explore some of the past issues, explain their repercussions in layman’s terms, and more importantly, provide you the necessary precautions that could increase your privacy while using the service.

Historical Perspective: WhatsApp’s Privacy Troubles & Remedial Measures

Few could’ve guessed that WhatsApp would become such a staple at its inception. What began as an attempt at creating a Yahoo Messenger inspired service has shaped an entire industry. It has brought interesting and important features to the table and taken intra-connectivity to unexpected heights. WhatsApp’s growth has been so mercurial that it can boast of more than a billion people using the app every day.

However, the app has had multiple problems during this journey. Issues of transparency, finance, monetization, and most of all privacy concerns, plague the service. As many of its detractors like to point out, the privacy issues only started occurring after its much talked about acquisition by Facebook. User conversations were dominated by concerns about having to rely on a service that is known for its teetering previous privacy troubles. But is this true? Did WhatsApp’s privacy troubles really begin with Facebook—or were there cracks from much earlier?

A Timeline of WhatsApp’s Security Issues

In 2009, WhatsApp 2.0 was released on the iPhone to allow users to send and receive photos. As useful as this feature was, many users were curious about how WhatsApp would guarantee the safety of these images being sent via their service. It wasn’t until the company’s Series A round in 2011 during a funding pitch that WhatsApp’s founder revealed that it has capabilities for internal encryption. This ensured users did not have to worry about anyone else other than the recipient having access to the sent media.

In early 2012, an anonymous hacker revealed on Reddit that he had developed a website that made it possible for anyone to change the name of any WhatsApp users as long as their phone number was known. Within a few weeks, the website was down and WhatsApp claimed to have fixed the vulnerability.

Later that same year, WhatsApp revealed that all messages sent and received would be automatically encrypted on iOS and Android. It did not extend the same option on Symbian, Windows Phone, or Blackberry. However, WhatsApp still did not reveal how the cryptographic method worked.

In February 2014, Facebook officially acquired WhatsApp for $19 billion, promising new features as well as cross-compatibility never seen before between Facebook and WhatsApp. However, a vulnerability was discovered in WhatsApp’s encryption method a month later. This allowed another app the ability to read any other user’s chat conversations as long as their WhatsApp number was known. WhatsApp soon released an update that fixed this breach. At the same time, it introduced the “read receipts” showing when a message had been received and read by the intended recipient.

WhatsApp Web Brings Convenience…and Complications

The WhatsApp Web login was introduced in 2015. This WhatsApp for web option allowed users to access the service via a web client. All it needed was for you to have an active mobile connection and you could enjoy seamless use of WhatsApp web from any computer you wanted.

Around the same time, WhatsApp started its most ambitious cleanup program. It began cracking down on all 3rd party apps that it deemed were a threat to its users’ privacy. This includes WhatsApp+. To ensure that there was no possible loophole, you couldn’t even use WhatsApp on your device as long as there were any of these third-party apps installed on your device.

In 2016, WhatsApp officially incorporated end-to-end encryption to its arsenal. All forms of communication via the app would be protected via this mechanism. It also allowed all WhatsApp users to verify each other, ensuring there was no case of impersonators exploiting you. A few months later, WhatsApp added dedicated WhatsApp for web clients for both Windows and Mac. These came with the WhatsApp web e-scanner that allowed users to instantly verify and connect with any device they wanted without requiring anything else.

While WhatsApp has done well to ensure that there aren’t any lingering issues on its end, third-party threats inevitably find their way to exploit its users. While some of these require dedicated software, most can be avoided using simple in-app steps. Some of the most common issues, scams, as well as ways to guard against both of these, are discussed in greater detail below.

Malware Through WhatsApp

Malware spreading through WhatsApp is nothing new. However, I have to add that it surprises me how creative some hackers have become when it comes to exploiting the weaknesses in WhatsApp’s security measures. While for the most part, WhatsApp is a secure messaging platform, it is not completely secure. Hackers have been known in the past to send viruses, malware, and even entire Trojan horses in the form of WhatsApp messages.

Through Videos

This has been a favorite tactic of hackers on WhatsApp. It is particularly popular in countries where hackers know the internet connections are slow and the video will take some time to download and playback.

The way this works is simple but effective. A hacker sends a fairly innocuous video. The victim presses download. While the video is seemingly downloading, it creates a backdoor for hackers to breach any data security. If malware is attached to the video, it can further expedite this process.

The minute a user downloads or even clicks on an attachment of this sort, their device and account are compromised. Hackers further customize these malware to be automatically forwarded to all of the victims’ contacts, increasing their chances of compromising more victims.

Through Images

These tactics go back to the era of AOL and Yahoo Messengers. Following the dot com boom of the early 2000s, hackers were quick to realize the potential of exploiting multimedia to increase their chances of success.

While this method gained success over the years, WhatsApp has brought exponential growth for hackers that use this method. For instance, WhatsApp has made it easy for users to send up to 25 images at the same time. Once a user receives these images, they can automatically download all 25. However, in the preview dialog asking their permission to download, WhatsApp only shows the first 4 images.

This little window of opportunity means that hackers can easily gain access to a user’s device without them even knowing it. While there’s no easy way to stop this from happening, the best way to ensure you never fall prey to this tactic is by individually downloading each picture. For added security, try and not answer or engage with someone you don’t know on WhatsApp at all.

Through Calls

I had to check and then double-check, but yes, it seems the spread of malware through calls is possible and has been possible for a while. WhatsApp’s calling feature is even better since it grants potential hackers access to users’ internet connection as well.

Absurdly, this tactic first came to public attention when it turned out that it had been in use by the Israeli Defense Forces’ cyber division several years ago. Developed by the NSO Group, the IDF had used this method to spy on their targets and gain intelligence.

It wasn’t long until it found its way into the more common hackers’ arsenal. There’s a lot we still don’t know about this method. Hence, it is advised you not attend WhatsApp calls from numbers you don’t recognize. It has been observed that the calls soon disappear from the victim’s user logs, and hackers mostly use temporary WhatsApp accounts for hacks of this sort.

Fake WhatsApp Web Trojans

This can be particularly compromising for your banking details. WhatsApp Web has been a hacker’s favorite medium to attack potential victims as Trojans can access both the users’ WhatsApp on their mobile devices as well as their PC.

As an example, the WhatsApp Web Banking Trojan hacks a user’s confidential information while infiltrating into other compromising files as well. It has been discovered that since it spreads via the WhatsApp Web feature, your traditional Trojan detection software will not be able to track it since it did not spread via a program you downloaded on your PC initially.

Securing Your WhatsApp

There are certain precautions you can take to ensure that you’re reasonably safe from some of the more common scams and malware found to spread through WhatsApp.

Enable Two-Step Verification

I’ve placed this on top of the list because as things stand, this is your best chance to ensure that you never have to face any unwanted security breaches. Most services today support Two-Factor Verification (2FA). It adds a periodic password to WhatsApp. Simultaneously, it requires you to have access to another email or contact number that ideally only you would have access to.

2FA guarantees that your data isn’t being accessed by anyone who’s not supposed to have access to it. You don’t need any special version of the app to enable this protection either. You can follow the few simple steps illustrated below and you’ll have enabled the option on your WhatsApp account:

  •         Go to Menu located on the right-hand corner of your WhatsApp home screen.
  •         Click on Account.
  •         Scroll down and you should see an option labeled as Two-Step Verification.
  •         Enable it.
  •         You’ll be swiftly directed to create a unique 6-digit PIN code that only you would know.
  •         At this point, you’ll be reminded to re-enter your email address to retrieve the PIN in case you forget it.


This is arguably one of WhatsApp’s best security features as the passcode is randomized. It doesn’t matter if you’re using WhatsApp Web or just on your smartphone. The procedure will remain the same as well as the security provided by the 2FA.

Lock WhatsApp With A Password

I feel WhatsApp needs to re-evaluate its position as the service does not offer a default password protect option. Considering how nearly every other VoIP service offers this in some shape or form. WhatsApp seems to be hesitant about it for some reason. However, the service does recommend that if users insist on the protection of their WhatsApp Web chats’ protection, they can opt for third-party apps.

However, this is easier done on Android than on Apple. For instance, while WhatsApp does not have any specific recommendations on which password protection service to use, there are hundreds of options to choose from in the Play Store. Most of these already have millions of users and offer WhatsApp compatibility, leaving users spoiled for choice.

On the other hand, there’s no way iPhone users can password-protect their WhatsApp chats since Apple does not allow it via passcode or even with a Touch ID. So, Apple users are instead left to rely on their device’s password or pattern lock. While both options have been known to be extremely secure, most users would prefer individually locking their WhatsApp chats if possible.

Considering how this is possible on Android and other mobile OS too makes it more complicated for Apple. iPhone users who want this kind of password-protection on their devices will have to wait until either Apple changes its policy or WhatsApp comes out with an update that incorporates an internal password protection option.

Disable Automatically Saving WhatsApp Media to Phone

I would recommend using this option if you’re not overly concerned about your privacy. While useful, it can cause clutter and save unnecessary media on your phone. This is the same reason why hackers love using this tactic to target their victims.

Hackers will send multiple photos and media at once. Your phone will automatically save all these while giving you a preview of only the first 4 images and videos. In the background, any of these videos and images could have a virus attached to it that could act as a backdoor into your device.

On iOS

  •         Go to Settings.
  •         Scroll down to Chat.
  •         Find the Save Incoming Media option.
  •         Click on Off.


On Android

  •         Go to Settings.
  •         Scroll down to Chat.
  •         Click on Media visibility.
  •         Uncheck the Flag (You may need to click on No, depending on your WhatsApp version, as well as, the Android version installed on your phone.


Hide “Last Seen” Information

I thought long and hard about including this on the list. When WhatsApp announced this feature, there was an intense debate on whether it was ethical to let other users know when you’ve come online or not. I expect quick replies on IMs and if I know a user isn’t online, I probably would opt for other communication methods instead.

However, in recent years, I’ve come to realize that this comes with a caveat. If used in a certain way, it can help people figure out your internet activity. This can then be used to exploit any weaknesses in your connection knowing you won’t be online to realize what was happening in the first place.

It seems as WhatsApp had a similar realization as they rolled out an upgrade that allows all users to hide their “Last Seen” information from everyone, even users from their contact lists. Using a few simple steps, you can ensure similar privacy for yourself:

  •         Open up Settings.
  •         Go to the Profile section.
  •         Scroll down to Account.
  •         Select Privacy.
  •         Scroll until you find the “Last Seen” option.
  •         Click on the Nobody option.


It doesn’t matter if you are using WhatsApp on Android or iPhone or even WhatsApp Web, the process remains the same.

WhatsApp Web – Log Out Properly

When the WhatsApp Web service was announced, I didn’t realize I’d end up using the service as much as I have. I expected it to have some complicated steps that would make using the service an “in case of emergency” option at best. My initial impression was wrong since all it takes it one QR scan and voila! I can access my WhatsApp from literally any computer I want.

However, I also realize that this ease of cross-platform usage comes at a privacy risk. One such risk is simple and yet can lead to disaster; what if I forget to log out of WhatsApp Web after I’m done? In any case, all my chats, my media, and any other important documents from my WhatsApp are fully available for anyone to see if they want. I wouldn’t be notified that someone has access to my account, I wouldn’t know someone’s accessing my files either. Chances are that I won’t know I’ve been compromised for quite some time.

As scary as this scenario might seem, there’s an easy way to ensure you never have to be in such trouble: just log out every time you’re done using WhatsApp Web, especially on public computers. I know it seems like a duh! moment, but honestly, as I mentioned above, there’s no way to know you’ve left your WhatsApp Web logged in. In case you want to be extra careful, there’s an option of opening the WhatsApp Web from your smartphone and clicking the “Logout from all devices” option. This means that you’ll be logged out of each device apart from your smartphone. If you use public access computers to access WhatsApp Web often, this would be the safest way to keep yourself safe from any unintended breaches.

Hide Profile Picture

This is now treading into extra care territory. Photos on social media have always had a special role as they not only allow us to identify our contacts but are a medium of communication on their own. When it comes to dedicated VoIP apps like WhatsApp, pictures have helped maintain one’s identity online.

However, as with most other multimedia files, these photos are easy to download. By default, your profile picture is accessible to anyone who has your WhatsApp number. And with some other VoIP apps, you don’t need to approve anyone’s request to add you on WhatsApp either. This leaves your profile picture completely vulnerable. Anyone can download it and use it for several nefarious purposes.

While choosing not to put a picture at all on your WhatsApp account is an option that a lot of people end up going for, I won’t recommend anything so drastic. You can follow a few simple steps to ensure that the people that have access to your profile picture are trusted contacts that you have in your contacts list and not just anyone with your WhatsApp number.

  •         Go into the app Settings and choose Accounts.
  •         Then choose Privacy.
  •         From there on scroll to and click Profile Picture.
  •         Then select the option, “Only your contacts can view it”.

No Cloud Backups

It goes a step beyond hiding your profile picture. This is by far the most radical step you could take to protect your privacy online (and some would say the most erratic step as well). What makes this such a surprise inclusion is that this also happens to be one of WhatsApp’s best features.

Users can have their entire WhatsApp chats, from the day they started using the service, backed up on Google Drive or iCloud if they want. This makes it easy for users to reinstall the app on a different phone and retrieve and restore all messages from there. It’s not complicated, and if you back up your messages regularly, it shouldn’t take too long either. However, it can be a problem if you want to make the most of WhatsApp’s end-to-end encryption option.

As you might guess, all your chats on WhatsApp are automatically protected via that end-to-encryption. However, that does not extend to your backup. On paper, it’s much easier for a hacker to target these backups rather than WhatsApp itself to steal important information or other data.

If privacy is of the utmost concern to you, then I highly recommend not using the cloud backup feature at all. Understandably, you’ll be giving up on one of WhatsApp’s best and most user-friendly features. However, the trade-off is that you’ll be a lot less vulnerable. Apple and Google are subject to different rules and regulations, in addition to their data protection policies that often differ from WhatsApp. This leaves the possibility of a loophole that governments, hackers, and other third-parties can exploit to keep an eye on your conversations.

Disabling WhatsApp’s automatic cloud backup is easy if you follow the simple steps as mentioned below:

On iOS

  •         Go to Settings.
  •         Scroll down to Chats.
  •         Click on the Chat Backup option.
  •         Click on Auto Backup.
  •         Click on Off to disable the automatic backup.


On Android

  •         Go to Settings
  •         Scroll down to Chats.
  •         Click on Chat Backup.
  •         Scroll down to Backup to Google Drive.
  •         Select “Never”.


This should also work on WhatsApp Web. It will disable any automatic backup from there as well regardless of whether you’re using Windows or macOS.

Beware of Common Scams

WhatsApp Web comes with its risks. Sometimes hackers don’t need to attack you aggressively. Some of the most common WhatsApp scams use much subtler methods. The average WhatsApp user must beware of these scams and avoid them whenever they see scams like these targeting them.

“Your Chats & Messages Being Made Public”

This is one of those WhatsApp scams that proliferated, thanks to misinformation as well as people susceptible to fake news. As ludicrous as these claims are, it’s no surprise that this particular scam was able to gain traction.

It all began when WhatsApp was acquired by Facebook. In terms of functionality, this has been good for WhatsApp. This allows WhatsApp to streamline some crucial services to its users. For users, it also represents an ecosystem that enables them to use different services using the same carrier.

Unfortunately, Facebook’s checkered past has been a contributing factor to this claim. For instance, even though there is no evidence that WhatsApp is sharing your data with any third-party not approved by you, it is sharing it with Facebook.

Scandals Bring Unwanted Attention

Facebook has constantly found itself in the news, particularly after the 2016 US Presidential Election, when it became apparent that troll farms had manipulated its algorithms to spread misinformation. More alarmingly, millions of users found out their information had been harvested by Cambridge Analytica.

In the months after that, Facebook’s acquisitions Instagram and WhatsApp have seen their Terms of Service (ToS) amended. In a nutshell, these amendments were to explicitly state that all your data via these services would end up at Facebook. Fortunately, there is an option that allows you to opt-out of sharing this data with Facebook. This would leave you with issues over future beta programs and updates, but it’ll keep your WhatsApp data out of Facebook’s reach.

However, I should state that even if you don’t opt-out, Facebook isn’t going to share your chats and messages publicly. As stated in a Snopes article debunking this myth, your data is your own. To what extent is up for interpretation, but under no circumstances can a public entity like Facebook share information about its users unless presented with a warrant requesting so by law enforcement.

WhatsApp Gold – A Premium Version of WhatsApp

It’s natural to want the very best out of an app. Especially if it’s an app that you use so frequently. Unfortunately, if you’ve received a message with a link telling you how to get a “gold” version of WhatsApp, you’ve probably been a victim of a scam.

WhatsApp is a free-to-use service. All of its features are available for use at no cost to users. Whether it’s a regular student from South Korea or a megastar like Cristiano Ronaldo, all use the same version of WhatsApp. The only other version that exists is a Beta program version. It is free to sign up for straight from the Play Store. The only benefit of this program is that it’ll allow you to test out all the updates that WhatsApp plans to launch. There is a downside too as you’re essentially a lab rat testing out any quirks in these updates.

You may have encountered this scam under a different name like WhatsApp Plus or WhatsApp Pro or WhatsApp Star. As I mentioned earlier, there is only one official version of WhatsApp. There is no such thing as a “premium” or “exclusive” feature. If you’ve received a message about any such version, delete it asap because it is likely a virus or malware.

WhatsApp Expired

This is probably one of the oldest scams out there. However, that hasn’t stopped it from circulating now and then. As more users begin to gain access to the internet, the more these scams target vulnerable people who don’t know much about how WhatsApp is a free to use service.

There’s no sophistication involved as it usually consists of a single message. It tells you your WhatsApp subscription has expired. And that for a small sum of $X.XX, you can start using the service again.

WhatsApp has come out officially and stated that it will remain free for as long as the service continues to exist. While users may have reservations about how a service can remain free, it has been WhatsApp’s business model all along. It monetizes itself through tie-ups with corporations. Crucially, there is no possibility of your WhatsApp ever expiring and it will never cost you a single cent.

WhatsApp “Ultra-Light Wi-Fi”

This scam first caught my eye when 4G was just around the corner. In recent years, speed and ease of connectivity have become important elements of the internet experience. This scam was supposed to double down on this by enticing people with faster speeds.

The brains behind this scam gave it a lot of thought. They came up with a near-identical interface and managed to catch the users’ eyes. It offers them an “Ultra-Light Wi-Fi” version of WhatsApp. This version was supposed to reduce users’ internet data costs. It even goes as far as to claim it would be completely data-free.

How do I get this version of WhatsApp? Well, invite 10 of your friends and fill out a short survey. The survey asked for personal information and could be used to exploit your social media accounts. This has been the source of several cases of digital identity theft.

Even if you filled the survey, you wouldn’t get any option to download this mysterious Ultra-Light version of WhatsApp. WhatsApp has rolled out several updates that make it easy to operate with minimal data usage. If you ever receive a message to download such a version of WhatsApp, know that it is a scam.

Using a VPN to Optimize Your WhatsApp Experience

Considering how important WhatsApp has become when it comes to online communication, it’s no surprise that it faces constant threats to its operations. For all its faults, WhatsApp has maintained that your privacy is above everything else. This has been proven time and again, most notable in 2016 when WhatsApp faced a ban in Brazil over its refusal to hand over information from the app in an ongoing drug trafficking investigation. Its executive in the country, Diego Dzodan, was arrested and released the next day but not before a blanket ban was placed on the service indefinitely.

We can argue the semantics of this case, but there’s no denying that WhatsApp stood its ground in terms of its principles. This has led to similar bans in countries like Sri Lanka, Uganda, Iran, China, and Russia. Most of these countries have placed these bans on WhatsApp related to censorship and halting free communication between their populations.

Add Layer of Privacy

If you’re someone who relies on WhatsApp web professionally, then you know how costly missing out on WhatsApp can be. You’ll be glad to know that by using a reliable VPN you can ensure you’re never at the mercy of your government. It allows you to express your ideas or to communicate with others fearlessly.

I’d highly recommend choosing PureVPN and for good reason. The most obvious one is the sheer number of servers. PureVPN can offer you access to 6,500+ servers spread across 78+ countries. You can connect to any of these servers and resume seamless access to WhatsApp without any other extra steps required. Moreover, PureVPN guarantees complete safety for you as well. Thanks to its AES 256-bit encryption, it brings a formidable layer of additional safety for all your communications via WhatsApp.

But don’t just take my word for it. More than 10,000 other users like yourself on Trustpilot have rated PureVPN an astounding 4.8 out of 5 stars. This makes it one of the most highly rated VPN services out there. I see no reason why you shouldn’t choose it to be your primary VPN provider.




Yasir Nawaz


June 20, 2023


11 months ago

Yasir Nawaz enjoys writing on issues related to cybersecurity, digital privacy, and online streaming. A firm advocate of digital equality and freedom of access throughout the web, he believes no piece of consumable information should be restricted online. When he’s not busy writing on such immensely important issues, he finds solace in chess, reading, and staring into the abyss in his best Luke Skywalker impression.

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.