Use our search engine and find everything you need

How to spy on WhatsApp for free

Who am I
Valery Aloyants
Article evaluation:

Out there is a world full of meddles and nosy people, jealous boyfriends and apprehensive parents who would make false papers to know what their loved ones are doing, who they spend their time with and what they talk about when they are in the company of friends. I haven't discovered anything new, have I? I imagined. But, you know, after reading yet another email in which a person asking me how to spy on WhatsApp for free I could not help myself: I had to publish this little "vent"!

Now, however, let's try to re-enter the ranks and take advantage of this opportunity to do something good, that is to find out more closely which techniques are most used by WhatsApp “spies” and how to protect yourself from them.

Fortunately, the messaging system created by Jan Koum and Brian Acton is no longer as vulnerable as it once was, its protection systems have been strengthened a lot over the last few months, but woe to let your guard down! There are still many tactics that attackers can put into practice to pounce on our smartphones and spy on our conversations, so let's try to understand how to discover them and, above all, how to prevent someone from using them to hit our accounts. In the end it is less difficult than you might imagine.

Furto d'identità

Identity theft is one of the risks you need to be more careful about. This is a technique by which an intentional person can "deceive" WhatsApp by pretending to be another person and access, without permission, the conversations of the latter.

Web WhatsApp

Believe it or not even Web WhatsApp, the official service to access WhatsApp from your PC, can be used to carry out identity theft. The fault lies with the function Stay connected, which allows the browser to store the user's identity and access conversations without requiring a new scan of the QR code.

In a nutshell, if an attacker manages to get hold of your smartphone (any excuse is enough, for example the need to make an urgent call) he can activate the Web version of WhatsApp on any notebook, tablet or smartphone and get access to all your conversations without you noticing; an access that will be continuous and not temporary as WhatsApp Web works even when the mobile phone is not connected to the same wireless network as the computer (as long as it has an active Internet connection, no matter what).

However, in the event that the owner of the device has set biometric recognition protections, such as unlocking the device via the face or fingerprint, this solution is not feasible, as, at the time of activation of Web WhatsApp, you are asked to confirm the operation through the intervention of the device owner.

The same argument would also apply to the official WhatsApp client for Windows and macOS, but in that case the procedure to follow for the attacker would be unnecessarily longer (as he should first install software on his PC).

Cloning of the MAC address

Another technique that can be used for spy on WhatsApp for free and the MAC address cloning. What is it about? I'll explain it to you right away. The MAC address is a 12-digit code that uniquely identifies all devices capable of connecting to the Internet. It is also used by WhatsApp to verify the identity of users (together with the phone number) but with ad hoc applications it is possible to disguise it and deceive the application.

If an attacker installs some of these apps on their mobile phone (eg. BusyBox e Mac address ghost for Android and SpoofMAC on iPhone) and manages to find out the MAC address of your smartphone (just go to the screen Info settings) can install a "cloned" version of WhatsApp and access your conversations.

Fortunately, this is not a very common practice, it requires some technical preparation and a lot of time to spend "in the company" of the victim's phone - at first to find out the MAC address of the device and then to read the confirmation SMS necessary to activate the "cloned" copy of WhatsApp on the other smartphone - in any case, being aware of its existence will help you avoid possible intrusions into your account.

How to defend against identity theft

As we have just seen, most of the techniques to steal the identity on WhatsApp involve physical access to the victim's phone. This means that to protect yourself you just need to follow simple - but fundamental - rules of common sense.

  • Use a secure PIN - rule number 1 to follow to prevent someone sticking their nose into our smartphones is to set a secure PIN on the lock-screen. Here's how on Android and iOS.
    • Android: go to the Settings> Security> Screen Lock> PIN menu. Alternatively, you can also set a gesture instead of the numeric PIN by going to Settings> Security> Screen Lock> Sequence.
    • iPhone: go to the Settings menu> Touch ID and Code> Change code.
  • Disable the display of SMS on the lock screen - another trick that I advise you to put into practice is the one related to the deactivation of SMS in the lock screen. In this way, if an attacker tries to activate a "cloned" copy of WhatsApp using your phone number, he will not be able to view the verification code necessary to make it work as no message will appear on the smartphone lock screen (and the access to the phone will be blocked by the PIN) [1]. Here's how to proceed.
    • Android: go to the Settings> Security> Screen Lock> PIN menu, set a PIN and choose to hide only sensitive content.
    • iPhone: go to the Settings> Notifications> Messages menu and remove the check mark from the Show in "Lock Screen" option.
  • Check your WhatsApp Web sessions - by going to the Settings> WhatsApp Web WhatsApp menu you can check all active WhatsApp Web sessions for your account. If you notice any suspicious activities, then press the Disconnect from all computers button and any "spies" will no longer be able to access WhatsApp Web using your account (they should scan the QR code again with your smartphone to do so). Perform this "check" from time to time and you will avoid any identity theft through the Web version of WhatsApp.
  • Use a secure password for your cloud accounts - now many applications, including WhatsApp, synchronize their data with the cloud (Android uses Google's cloud systems and iPhones, Apple's iCloud platform). Well, if someone managed to find out the password to access your cloud accounts, they could easily get to your data and, with some tricks, even the WhatsApp backups (which in any case would be unreadable without decryption, but better to avoid this from happening).
  • Be careful who uses your smartphone - the most trivial advice, but probably the most important of all. If you want to keep your WhatsApp account safe, avoid lending your phone to strangers, check what any acquaintances / friends do with your phone and do not leave your smartphone unattended in public places.

Applications to spy on mobile phones

As I also explained to you in my post on applications to spy on Android phones, there are numerous software that allow you to monitor, control and locate smartphones from a distance. Many of them are completely free and have the ability to hide, that is, they do not appear on the home screen of the phone or on the screen with the list of all the apps installed on the device.

How to defend yourself from spy applications

The installation of spy apps also requires physical access to the victim's cell phone, so I recommend that you follow the tips I gave you earlier and keep your phone under control at all times. In addition, you could take a look at the list of applications installed on your smartphone and see if there is anything suspicious.

  • Android: to view the complete list of apps installed on Android, go to the Settings> Apps menu and select the All tab.
  • iPhone: to view the list of applications installed on an iPhone, go to the Settings menu> General> Use space and iCloud> Manage space.

Another clue that, on Android, can signal the presence of spy apps in the system is the addition of new applications to the list of device administrators. Then go to the settings of your smartphone, "tap" on the Security icon and select the Device administrators item from the screen that opens. At this point, check that in the list of apps that manage Android there are no “suspicious” ones. If not, remove the check mark from the suspicious application and uninstall it by searching for it in the Android app list.

If you have one Jailbroken iPhoneinstead, you can try to "unmask" the spy applications by typing the code * 12345 in the dialer or trying to connect to addresses localhost: 8888 e localhost: 4444 from the browser. If there are spy apps installed on the device, it is likely that in one of these ways you will be able to access their management panel and then disable them. Also I advise you to open Cydia and to carefully check the list of all the packages installed on your device: if you notice some of them that could be traced back to applications to spy on the iPhone, remove them.

Are you worried that someone has installed a spy app on your smartphone but you can't see it? In cases like these, I'm sorry, but the only viable solution to dispel any doubts is to format the phone by deleting all apps and data. If you want to know how, check out my tutorials on how to reset iPhone and how to format Android.

Monitoring of wireless networks

Many people have asked me if it is possible spy on WhatsApp for free with applications, such as the very famous Wireshark, which allow you to monitor all data passing over a wireless network. The answer is no, at least not anymore.

In fact, at the end of 2014, WhatsApp began to adopt a system of end-to-end encryption which makes the messages unreadable for everyone, except for the legitimate senders and recipients. Even on WhatsApp servers, messages arrive in encrypted form. The system, called TextSecure, involves the use of a pair of keys: a public one that is shared with the interlocutor and allows you to encrypt outgoing messages and a private one that resides on your smartphone and allows you to decrypt incoming messages.

That said, it must be remembered that WhatsApp is a closed source application, therefore it is not possible to thoroughly examine its source code and therefore it is not possible to know if there were errors in the implementation of the end-to-end encryption (errors that clearly could compromise its effectiveness).

Moral of the story: WhatsApp is reasonably safe from monitoring Wi-Fi networks (the so-called "sniffing") but woe to let your guard down. Therefore, avoid connecting to public Wi-Fi networks and make sure you always use the most up-to-date - and therefore more secure - version of the application.

  1. It should be emphasized that without the prior cloning of the MAC address it is impossible to spy on WhatsApp. The service, in fact, allows you to associate each phone number with a single smartphone and therefore the legitimate owner of the account would just need to reactivate his copy of WhatsApp to put out spies. ↩︎
Add a comment from How to spy on WhatsApp for free
Comment sent successfully! We will review it in the next few hours.