An IT consultant claimed he has found a security flaw in the Android version of popular instant messaging software, WhatsApp. By using a malware with unrestricted access to the Android device's SD card, a hacker is able to extract WhatsApp private messages, and upload them without the owner's knowledge.
In his blog, IT consultant, Bas Bosschert posted sample codes that can be added to a piece of malware. If the Android user happens to install the application, and grants it full access to his device’s SD card; the malware is able to steal private messages stored in WhatsApp system files. This is possible because WhatsApp stores chat history on the SD card, by default. Therefore, the user’s private messages can be potentially uploaded to an external server, without his permission and knowledge.
According to the Google Play’s policy guidelines and practices, applications that specifically collect a user’s information without his permission are banned; however, this hasn’t stopped hackers from uploading malware to Google Play. As a word of caution, users of Android smartphones should be more careful when granting permissions to their installed applications. As observed by Ars Technica, the new owner of WhatsApp, Facebook may just be working on patches to this security flaw, "given Facebook's track record for producing secure code and services."