In recent years, the spread of apps dedicated to rapid communication between Users (Instant Messaging) have been exponential. A typical user also uses more than one of these tools software according to needs (eg Whatsapp / Viber + Messenger) to reach the widest number of contacts.  The obvious gratuity compared to (for example) previous systems such as SMS and the ability to extend content with multimedia support, in addition to the creation of groups, has finally decreed the natural and irreversible success of IM.


A technical breakthrough in IM tools/apps was the automatic population of the contacts directory specific to the software: if I downloaded an IM app and did not find my own friends, what would this app serve me for? I have to look for one by one my contacts from general directory and insert it into the single app to see if my friend uses it: inconveniently awkward. For this reason (simplifying the mechanism underlying the process), IM apps do refer to the user's general phonebook and automatically check if numbers in it are also present on their networks (that is, they do reference to users subscribed to their respective software): this way Whatsapp rather than Viber and other IM systems will find - very comfortably - all of our contacts and enter them in their specific address/phone book. This process, which happens in a transparent way to the user, allows you to do very complex operations in one fell swoop: in fact when I know a new person I usually just put it in my general phone book; at this point, as if by magic, when I open Whatsapp rather than Viber I'll find that contact between app contacts, ready to receive my messages.


The first side-effect (unobserved and inevitable) of this mechanism of accessing the phone book by each App is that it is enough to enter any number in your phone book to check if that number matches a user of our favorite IM app: (among other things) we will find it in the contacts of that app, shortly afterwards having it inserted.

The second side-effect (unnoticed) is that although the contact is present with the name / alias with which we have stored it in our address/phone book, we can visualize the avatar he chose to represent himself. Some systems allow you not to share this information, but in fact no one uses this option, since it is a obvious thing that you want to see who "he" is, and - symmetrically - "he" wants to see immediately with whom "he" is getting in touch. It's the fun part of the social app: edit your avatar often and willingly and let it see as many people as possible.



******0380 ******0380 ******0380

Let's now have a new phone and put the phone number of a friend of ours in the phonebook. Then, as a test, we try to enter another 200 phone numbers, memorizing them in the phonebook with an arbitrary mark (since they are perfect strangers), calling them in short: "unknown-CONTACT-001", "unknown-CONTACT-002" .. up to get to "unknown-CONTACT-200". As for the telephone number, take that of our well-known friend and pretending that the phone number is either "Arithmetic number" rather than a "phone number" add up "1" to the previous one. So, if we go for example from "3xx 47xx 345" (the number of our known friend), we will insert "3xx 47xx 346" for "unknown-CONTACT-001", "3xx 47xx 347" for "unknown-CONTACT-002", .. up to: "3xx 47xx 545" for "unknown-CONTACT-200". At the end we will have in the phone book 201 numbers, of which only the first "true and known": the others are the 200 arithmetically consecutive numbers belonging to as many hypotheticals unknown persons. Let's open WhatsApp or Viber - at this point - and go to the section "contacts". There is a half-surprise waiting for us: we will find a selection of new numbers just inserted side by side with their Avatar. We will find all those invented numbers of people who are enrolled in that specific IM service. As it may seem paradoxical, it is very likely that, taking into account the spreading percentage (for example) of WhatsApp (in Italy), we will see one sequence of forty or more avatars in front of 200 random numbers inserted.


IM Apps generally do not download avatar images whenever they open the view of the contacts, but populate and / or update them as we scroll down the contacts list, in order to reduce requests and traffic to their servers. Whatsapp users will not miss that when they browse the contacts directory, avatar of who is entering the screen (at the bottom of the screen) sometimes flickering: what happens? the app is updating it. These information / images, which are not downloaded each time, are stored inside the "disk space" of the phone and displayed on our list without waste traffic. But we are tempted to save these images elsewhere, for example on one of our pc, or on a remote server. And that's been done by collecting different millions of images of as many user accounts with numbers and prefixes of Italian operators.

******0380 ******0380 ******0380


The starting hypothesis of the exploitation was that - once we get into possession of the "phone number + avatar" - it would have been possible - using the avatar as a search key and analytic tools to extract more information from the image - retrieve other personal data related to the number, ending up with the coveted and dangerous sequence: "number + avatar + name and surname "etc.  To test this hypothesis (the first part of the attack), it was necessary collect data, that is, a considerable number of phone numbers with related avatars (on which to test the search procedures) and move them from the phone to an external archive, to perform subsequent processing. The issues to deal with were therefore diversified. It was necessary to: 1. Provide for entering the numbers in your phonebook in an automated manner (eg 200 at a time), so as not to clog the phone memory; 2. Access app data: keeping in mind that every app has, for security reasons, a reserved storage space, so your data is not accessible externally (from other apps), including, for example, avatars; 3. Open the IM app, make it interact as if it was piloted by a human user, to populate the directory with avatars (which as mentioned above, are not "downloaded" unless users are displayed [whatsapp], or whose avatars are not saved unless you click on the user detail sheet icon [Viber]); 4. Retrieve number and avatar correspondence; 5. Empty the phonebook; 6. Repeat the interactive procedure from step 1 onwards.

 The first step was to develop a client / server architecture of which the components were:
1. a NOWISEEYOU client, a service that can be installed on android devices (a "service" acts in the background) capable of recovering from the NOWISEEYOU server the numbers to be entered from time to time in the address book, then send back collected data on the same server and interactively interact with the new numbers, emptying the phonebook from time to time as long as you need; 2. a NOWISEEYOU server, that is, an archive of numbers to look for and some scripts on a remote machine.

WORKING PARALLELY (goal: millions of accounts)

Assuming to act simultaneously on several devices in parallel, to speed ​​up data collection, NOWISEEYOU client app had to be uniquely identifiable in order to carry out its work in sync, without disturbing each other. NowiseeYou has been installed and has "worked" simultaneously on a dozen mobile devices. On the server side the problem was instead to pop the db with the numbers to test: in fact you can not know "a priori" if a phone number is true either if its owner has a IM client installed. Problem that was resolved by inserting about 200M of sequential numbers (or nearly sequential :) corresponding to prefixes of Italian mobile operators. For the first test phase we started with one first tranche (about 1M of numbers) made up of a known "333 xxx xxxx" (the real number of a real friend); NowISeeYou then had to act blindly in search of numbers and accounts: precisely for this reason it was necessary (see above) provide a parallel screening system (several devices operating in contemporary). Once you have set up the client (app) / server structure you have to install the IM client on the devices (WhatsApp or Viber), taking care to create as many accounts.

ACCESS TO RESERVED AREAS OF OTHER APP (Objective: Access files / data of avatars and anything else of WHATSAPP and VIBER)

The problem of the "private data area" inaccessible to other apps was easily overcome by installing NOWISEEYOU on android "Rooted" devices: in fact, on these devices an app may have "master" privileges (that is, "root"), which allow access to all folders and phone space, including those reserved for other apps.

VIRTUALIZATION OF DEVICES (goal: speed and effectiveness)

To speed up and standardize the setup and configuration process of NOWISEEYOU on phones no physical devices were used (real phones), but emulators (the choice is falling on a great software: "Memu" but there are several similar ones). Practically these are "virtualized" and non-physical devices: they can be opened as windows on a regular pc. The "emulators" solution has on the other hand considerable benefits: • emulators can be configured automatically as "rooted" (a procedure that can take time on one "real phone"), • can be activated and deactivated with a simple click, • can be set in an extremely effective way • can be duplicates / multiplied arbitrarily (providing as many SIMs and accounts and having pcs on which to run them) • no battery problem or malfunction or need to buy.

 The emulators were "spin" on several PCs and so they could grind uninterrupted data night and day, 24/24, 7/7. For a few euro (buying a sim), we could add a new "virtualized device" to our "account shelter".

ACT AS A USER. COORDINATE: PHONEBOOK + WHATSAPP / VIBER + AVATARS (goal: collect the avatars and save them to the archive on the NOWISEEYOU server).

Verified that NowISeeYou clients interacted whit NowISeeYou server and received their quota (phone numbers block) to be included in the address book you had to choose a strategy to make IM app work to populate the data that would be collected later (numbers + avatars). To do this I opted for a strategy of disarming simplicity and that would turn around any problem: the NOWISEEYOU client would have to behave "as a human", simulating the action of the user. Because of that NOWISEEYOU has been developed to be able to: 1. act in the background and open Whatsapp (or Viber respectively); 2. empty the phonebook; 3. ask the NOWISEEYOU server the first / next block of phone numbers (eg 200); 4. oad the numbers into the phonebook; 5. pretending "the user" wanted to scroll his contact list and so on.

Simplifying the Process: NOWISEEYOU simulates user touches on the display and it moves to the section of the IM app's address book, and then appropriately waits for a latency range and starts to scroll (whatsapp) or scroll and click (viber) the elements in the contact list, which in the meantime are populated with the numbers (of accounts in their respective accounts platforms, a subset smaller than those actually loaded in the phonebook). Once this procedure is completed, NowISeeYou recovers numbers and avatars collected and sends them to the server; cleans the phonebook and again. A single virtual device could test just under 100k numbers in 24 hours. As a result, having 10 devices available, the numbers tested in 24h were just under 1M. Having 100 emulators available...

Cross social avatar exploit - details

(Estimated) Danger: ★★★★★ (Medium Low).

It is based on the possibility that a user uses the same avatar(s) on different social networks. The attack is automated and unattended: the attacker program extracts the avatars in the archives and acts in sequence. Using one or multiple reverse search lookup tools, the avatar (present in the NowISeeYou archives) is searched on the web, scanning the results to see if the avatar (the same image) is used and / or linked to other social, in particular Facebook or LinkedIn.

NowISeeYou at this point stores the found links and can extract (ad example) the name and surname of the person, or simply bring (store) the link (s) back. In fact, a percentage of about 1 user on 50/70 uses (at different times) the same profile image on many social: obviously most of these people have a stable professional profile/image/avatar and paradoxically - if as well as varying levels of confidentiality - these are people who do not want to make their number available in any way to strangers.

As a result of the attack method, you can query the archive of NowISeeMe starting with a surname and name, to see if it is present in some of the list of links found. If yes, you also have the number phone of the person sought ... Anyone can test personally if is exposed to this kind of exploit using the following method: connects to any "web search service from an image" (for example the one provided by Google at the following link uploads own avatar - used on his IM app - and check if in the results provided there is a link that is linked to other social or platforms company. If so, it could potentially be exposed to the attack.  Of course there is the possibility of false positives, when for example the avatars stored in NowISeeYou is a user who, ironically or not, used the image of a famous actor or actress. Curiously a small percentage of users do it. Same thing for flags of teams, sports uniform, etc. This attack is viable (with greater probability of success) in an inverse way if the attacker targets a specific user. In this case the attacker retrieves the avatar of the target on the web, taking that of a Facebook or LinkedIn profile and then asks the NowISeeYou archive to see if the avatar is present. The third type of attack - the more dangerous ("voodoo dool") - was developed on the basis of this concept.

Similar image exploit - details

(Estimated) Danger: ★★★★★ (Low).

It is an extension of the "cross social" attack but not limited to social and can be applied when the previous one fails. This attack does not concern only facial images, more easily used on other instruments social: rather, searches the image on the web, comparing it with results compatible. Can be supervised or not by the attacker. The program is limited to reporting to the attacker (or saving for further processing) a list of possible matches found.

Voodoo Doll exploit - details

(Estimated) Danger: ★★★★★ (Medium High).

This is the most paradoxical and most dangerous exploit, as it could potentially expose any person using an avatar that contains his face. This name ("voodoo dool") was chosen because it is enough that the attacker gets one or more photos of the person he wants sticking, perhaps clicking or retrieving it anywhere. Of course the photo(s) is not present in the NowISeeYou archives, but - using some Face Detection tools - NowISeeYou extracts from the "doll" the data concerning the sex, age, presence of particular characteristics (beard, mustache, color of hair, facial shape: this depending on the software tool used).

At this point, with a confidence level chosen by the attacker, NowISeeMee submits to the attacker a series of images that "resemble" that of the "Doll", both in terms of extracted attributes and other visual criteria. The attacker can evaluate if there are any of the person searched: at this point the attacker has his phone number. In conclusion: exactly as you can see in the worst film on the police archives.

It may seem this is an attack with little chance of success: conversely it turns out extremely effective. A very high percentage of people use WhatsApp or Viber and the attacker (who is both smart and patient) collected the data starting from national telephone prefixes (in our case of Italian Operators), and can preset the search for the "doll" whose features will only be compared with user data that has specific visual features, limiting the number of possible results.