Back to Intelligence

NCSC Advisory: Hardening WhatsApp and Signal Against Targeted Account Takeovers

SA
Security Arsenal Team
April 12, 2026
6 min read

Introduction

The UK’s National Cyber Security Centre (NCSC) has issued a critical security alert aimed at “high-risk individuals”—a category encompassing journalists, lawyers, activists, and government officials—warning of ongoing, sophisticated cyber-attacks targeting encrypted messaging platforms. While the advisory highlights WhatsApp and Signal specifically, the implications extend to any organization relying on consumer-grade E2EE (End-to-End Encrypted) applications for sensitive communications.

The threat is not theoretical. We are observing a convergence of social engineering tactics—specifically SMS interception and SIM swapping—and potential zero-day exploits targeting the VoIP stacks of these applications. For defenders, the urgency is clear: default application configurations are insufficient for high-value targets. We must shift from passive usage to active, hardened configuration to prevent account takeover and device compromise.

Technical Analysis

Affected Products:

  • WhatsApp: Android, iOS, Windows, macOS, Web Client.
  • Signal: Android, iOS, Windows, macOS, Linux, Desktop.

The Attack Vector: While the NCSC alert does not disclose a specific CVE identifier for a new zero-day, the operational context implies the use of known and novel exploitation techniques:

  1. Social Engineering & Verification Fraud: Attackers manipulate the registration process by intercepting SMS verification codes (via SIM swapping or SS7 vulnerabilities) or engaging targets in social engineering to obtain the OTP.
  2. Device Exploitation (Zero-Click/Zero-Day): State-sponsored actors frequently exploit memory corruption vulnerabilities in the WebRTC or VoIP libraries used by these apps to execute code remotely, often before a user even answers a call.
  3. Metadata Leeching: The advisory explicitly warns against “Link Previews.” Malicious actors can send a URL containing tracking parameters or exploit code; when the application attempts to fetch a preview (rendering the HTML), it exposes the victim's IP address and can trigger remote code execution (RCE) or cross-site scripting (XSS) within the client.

Exploitation Status: Active exploitation of high-risk individuals is confirmed in the wild via threat intelligence communities, likely leveraging commercial surveillance tools or custom nation-state malware.

Detection & Response

Detecting attacks on E2EE platforms is challenging due to encryption. However, defenders can detect the installation of unauthorized or trojanized versions of these applications, or suspicious process executions resulting from malicious link previews.

The following rules focus on identifying these applications running from non-standard locations (e.g., a user running a portable, potentially malicious version from Downloads rather than the installed directory) and detecting child processes spawned by these apps (a sign of successful RCE).

YAML
---
title: Signal or WhatsApp Execution from Suspicious Directory
id: 8a4b2c19-1d3e-4f5a-9c6d-7e8f9a0b1c2d
status: experimental
description: Detects Signal or WhatsApp executables running from user directories or temp folders, often indicative of portable/trojanized binaries rather than standard installations.
references:
  - https://www.ncsc.gov.uk/
author: Security Arsenal
date: 2025/03/20
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\WhatsApp.exe'
      - '\Signal.exe'
    Image|contains:
      - '\Downloads\'
      - '\AppData\Local\Temp\'
      - '\Desktop\'
  filter_standard_install:
    Image|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
      - '\WindowsApps\'
  condition: selection and not filter_standard_install
falsepositives:
  - Administrators testing portable versions
level: high
---
title: Suspicious Child Process Spawned by Messaging Application
id: 9c5d3e20-2e4f-5g6a-0d7e-8f9a0b1c2d3e
status: experimental
description: Detects potential exploitation of Signal or WhatsApp via unusual child processes (e.g., cmd, powershell) spawned directly by the application.
references:
  - https://attack.mitre.org/techniques/T1203/
author: Security Arsenal
date: 2025/03/20
tags:
  - attack.initial_access
  - attack.t1203
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\WhatsApp.exe'
      - '\Signal.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Rare; legitimate usage does not spawn shells
level: critical


**KQL (Microsoft Sentinel / Defender)**

This query hunts for instances where these messaging applications are executed, specifically filtering for those running outside of standard installation paths to identify potential unsigned or modified binaries.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where FileName in~ ("WhatsApp.exe", "Signal.exe")
| where FolderPath !contains "Program Files" 
  and FolderPath !contains "WindowsApps"
  and InitiatingProcessAccountName != "SYSTEM"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName, ReportId
| order by Timestamp desc


**Velociraptor VQL**

Hunt for the presence of these binaries and verify if they are running from unexpected locations or lack valid digital signatures.

VQL — Velociraptor
-- Hunt for Signal/WhatsApp processes and check path anomalies
SELECT Pid, Name, Exe, Username, SigStatus, SigPublisher
FROM pslist()
WHERE Name =~ "WhatsApp.exe" OR Name =~ "Signal.exe"
  AND NOT Exe =~ "Program Files"
  AND NOT Exe =~ "WindowsApps"


**Remediation Script (PowerShell)**

This script audits the endpoints for the presence of these applications and verifies their digital signatures against known publishers (Meta Platforms, Inc. for WhatsApp; Signal Messenger, LLC for Signal) to ensure they have not been replaced by trojanized versions.

PowerShell
# Audit WhatsApp and Signal Installation Integrity
$KnownPublishers = @{
    "WhatsApp.exe" = "Meta Platforms, Inc."
    "Signal.exe"   = "Signal Messenger, LLC"
}

Get-Process -ErrorAction SilentlyContinue | Where-Object { $KnownPublishers.ContainsKey($_.ProcessName + ".exe") } | ForEach-Object {
    $Proc = $_
    $Sig = Get-AuthenticodeSignature -FilePath $Proc.Path -ErrorAction SilentlyContinue
    $ExpectedPublisher = $KnownPublishers[($Proc.ProcessName + ".exe")]
    
    $Output = [PSCustomObject]@{
        ProcessName = $Proc.ProcessName
        Path        = $Proc.Path
        Status      = $Sig.Status
        Publisher   = $Sig.SignerCertificate.Subject
        Verified    = if ($Sig.Status -eq "Valid" -and $Sig.SignerCertificate.Subject -match $ExpectedPublisher) { "PASS" } else { "ALERT" }
    }
    
    if ($Output.Verified -eq "ALERT") {
        Write-Host "[!] Integrity Check Failed for $($Proc.ProcessName)" -ForegroundColor Red
        $Output | Format-List
    }
}

Remediation

Defenders must immediately advise high-risk users to apply the following configuration hardening steps. These are not optional best practices; they are necessary mitigations against active exploitation.

1. WhatsApp Hardening

  • Disable Link Previews: Go to Settings > Privacy > Link Previews and turn it OFF. This prevents the app from resolving URLs, blocking IP leaks and drive-by exploits.
  • Block Unknown Callers: Go to Settings > Privacy > Calls and enable Silence Unknown Callers. This mitigates zero-click VoIP exploits from unknown numbers.
  • Two-Step Verification: Go to Settings > Account > Two-Step Verification. Enable it immediately to add a PIN layer, preventing SIM-swap takeovers.
  • IP Protection: Ensure "Protect IP in Calls" is enabled (available in newer versions) to relay calls through WhatsApp servers, hiding user IP addresses.

2. Signal Hardening

  • Disable Link Previews: Go to Settings > Privacy > Disable Link Previews and turn it ON.
  • Registration Lock: Go to Settings > Account > Registration Lock. Set a strong PIN. This is critical for stopping SIM-swap attacks.
  • Allow from Contacts Only: Go to Settings > Privacy > Allow from Contacts Only (or disable "Who can find me by phone number" to "Nobody"). This reduces the attack surface for initial contact.

3. Operational Security

  • Device Hygiene: Ensure mobile OSs are updated to the latest version to patch underlying kernel and WebRTC vulnerabilities.
  • Re-registration: If a device is lost or compromised, immediately deactivate the account via the registration lock features or support channels to prevent session persistence.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socthreat-intelmanaged-socncscsignalwhatsappsocial-engineeringe2ee

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action