The current wave of WhatsApp scams, fueled by the platform’s recently introduced screen-sharing feature, is a prime example. It’s a chilling demonstration of how a seemingly innocuous feature can become a high-yield attack vector, draining hundreds of thousands of dollars and highlighting the vulnerability of even the most widely adopted communication platforms.
The core of this threat isn’t about brute-force hacking; it’s about social engineering. The attacks typically begin with an unsolicited WhatsApp video call from an unknown number. The caller, often posing as a bank representative, Meta support, or even a distressed acquaintance, immediately attempts to establish a sense of urgency. They might fabricate stories of unauthorized charges, suspicious account activity, or pending verification, pushing the victim to act “immediately” to “resolve the issue.” The lure is simple: “I need you to just share your screen so I can fix this for you.”
What makes this so effective is the fact that WhatsApp’s screen-sharing feature, while intended to facilitate technical support, provides the attacker with a disturbingly clear view of the victim’s digital life. Incoming messages, verification codes, and app interactions become visible, allowing the attacker to immediately seize control of the account. ESET security researchers have identified three key levers driving this fraud: impersonated trust, time pressure, and device visibility. It’s a meticulously crafted operation that capitalizes on human psychology.
But the screen-sharing scam isn’t simply a case of impersonation and information theft. The attacks are becoming increasingly sophisticated, leveraging the same WhatsApp Web interface to deliver malware. The Brazilian campaign, for instance, employs a self-propagating chain delivered via WhatsApp Web. Victims receive a ZIP archive that, when extracted, launches an obfuscated VBS downloader, SORVEPOTEL, which executes a PowerShell script in memory. This script then hijacks the active WhatsApp Web session, fetches malicious content, and ultimately spreads the infection to all contacts. The Brazilian malware, dubbed Maverick, adds a crucial layer of defensive evasion. It checks for reverse-engineering tools, validates the host locale, and targets financial institutions in Latin America, aligning with the goal of credential theft and session manipulation.
Beyond the Brazilian campaign, Trend Micro has documented similar WhatsApp Web propagation methods. These attacks reveal the potential for messaging platforms to be weaponized for automated propagation and targeted financial crime. The sheer scale of the potential damage is alarming.
The actors behind these scams aren’t necessarily sophisticated, advanced persistent threats (APTs). ESET researchers emphasize a human-centric approach, with trust, urgency, and control as the core drivers. The spread across regions and personas indicates a broad, decentralized scam network rather than a single, centralized operator. However, the Brazilian campaign offers stronger clues, attributing the malware to a threat actor tracked as “Water Saci,” with overlapping activity with the “Coyote” banking malware, placing both in the Brazilian cybercriminal ecosystem.
The impact extends beyond individual victims. The widespread adoption of WhatsApp means that a single screen-sharing scam can trigger a cascading effect, draining significant financial resources. Furthermore, the use of the platform for malware distribution demonstrates how a seemingly innocuous communication channel can be repurposed for automated propagation and targeted financial crime.
The good news is that Meta is responding. WhatsApp now displays a real-time warning when users attempt to share screens with unknown callers, advising them to proceed only with trusted contacts. Meta is also testing AI-based scam detection on Messenger to flag suspicious outreach and suggest blocking or reporting.
However, the responsibility doesn’t solely rest with Meta. Mitigation requires a proactive, layered approach. Never share your screen with unsolicited callers, regardless of their claimed identity. Always verify urgent claims through official channels – don’t trust a phone call alone. Decline requests to install remote-access tools. And, critically, maintain a healthy dose of skepticism.
The WhatsApp screen-sharing fraud demonstrates how adversaries can turn legitimate features into high-yield attack vectors with minimal technical overhead. By manipulating authority, urgency, and access, criminals achieve outcomes – account takeovers, financial theft, and onward social engineering – that rival more complex malware campaigns.
To effectively combat this evolving threat, it’s crucial to embrace fundamental security best practices and to remain vigilant. Enabling WhatsApp’s two-step verification adds a required passcode that can significantly hinder account takeover. Leveraging platform tools like passkeys and privacy checkups adds further resilience. Finally, reporting suspicious accounts and content helps broader enforcement against scam infrastructure.
Ultimately, the WhatsApp screen-sharing fraud serves as a stark reminder that digital security is not just about technology; it’s fundamentally about human behavior.