Executive Summary
In early 2024, a growing wave of cyber scams exploited WhatsApp’s new screen-sharing feature. Threat actors, posing as trusted contacts or customer support agents, lured victims into screen-sharing sessions under false pretenses—most often by claiming to offer help or resolve issues. Once shared, attackers gained access to sensitive information displayed on victims’ devices, including banking credentials and one-time passwords (OTPs), resulting in significant financial losses and compromised personal data. The scam’s speed and sophistication allowed fraudsters to bypass traditional awareness training and exploit even tech-savvy users.
This incident highlights how social engineering threats adapt quickly to new app features, and underscores the need for rapid security responses. With mobile devices playing a pivotal role in personal and financial life, the exploitation of trusted communication platforms marks a critical evolution in phishing and remote fraud tactics.
Why This Matters Now
As messaging platforms continuously add features, threat actors rapidly exploit these intersections of convenience and security. The WhatsApp screen-sharing scam demonstrates how even well-intentioned upgrades can introduce urgent, hard-to-detect risks—emphasizing the need for proactive controls, user education, and real-time threat monitoring right now.
Attack Path Analysis
The attack began when victims were tricked via social engineering into sharing their WhatsApp screens with scammers, providing initial access to sensitive information. The attackers leveraged this access to escalate privileges, often by convincing users to reveal authentication codes or personal account info. Next, the attackers maneuvered within the victim’s digital environment to seek additional credentials or lateral movement opportunities, such as accessing linked banking or cloud accounts. They established command and control through remote session tools and open chat platforms to maintain persistent access. Sensitive data, including financial details, was then exfiltrated covertly. The impact culminated in financial theft, loss of privacy, and potential compromise of additional personal accounts.
Kill Chain Progression
Initial Compromise
Description
Attackers initiated contact through WhatsApp, deceiving users via persuasive phishing messages to enable screen sharing, granting attackers visibility into sensitive on-screen data.
Related CVEs
CVE-2025-30401
CVSS 7.8A vulnerability in WhatsApp Desktop for Windows allows remote attackers to execute arbitrary code via spoofed file attachments.
Affected Products:
Meta WhatsApp Desktop for Windows – < 2.2450.6
Exploit Status:
proof of conceptReferences:
CVE-2025-55177
CVSS 8.1An incomplete authorization vulnerability in WhatsApp for iOS and Mac allows unauthorized processing of content from arbitrary URLs.
Affected Products:
Meta WhatsApp for iOS – < 2.21.170
Meta WhatsApp for Mac – < 2.21.170
Exploit Status:
exploited in the wildCVE-2025-21042
CVSS 8.5A vulnerability in Samsung's image processing library allows remote attackers to execute arbitrary code via malicious DNG files.
Affected Products:
Samsung Galaxy Series – < April 2025 Patch
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing via Service
Phishing for Information: Voice Phishing
User Execution: Malicious Link
Input Capture: Web Portal Capture
System Script Proxy Execution
Email Collection: Remote Email Collection
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure User Authentication
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 10
CISA Zero Trust Maturity Model 2.0 – User Social Engineering Defenses
Control ID: User Pillar: Awareness and Training
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21(2)e
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
WhatsApp screen-sharing social engineering attacks directly target sensitive financial data, exploiting trust relationships to bypass traditional security controls and compliance frameworks.
Banking/Mortgage
Screen-sharing scams pose critical risks to banking operations by enabling real-time credential theft and account access through manipulated customer communication channels.
Insurance
Social engineering via WhatsApp screen-sharing compromises policyholder data and claims processing systems, requiring enhanced east-west traffic monitoring and zero trust controls.
Health Care / Life Sciences
Healthcare WhatsApp usage creates HIPAA compliance violations when screen-sharing scams expose patient data, demanding encrypted communications and anomaly detection capabilities.
Sources
- Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see cominghttps://www.welivesecurity.com/en/scams/sharing-is-scaring-whatsapp-screen-sharing-scam/Verified
- Police Advisory On Impersonation Scams Involving The WhatsApp Screen Sharing Functionhttps://www.police.gov.sg/media-hub/news/2025/06/20250626_police_advisory_on_impersonation_scams_involving_the_whatsapp_screenVerified
- WhatsApp security warning - zero-click bug hits Apple users with spyware, so update nowhttps://www.techradar.com/pro/security/whatsapp-security-warning-zero-click-bug-hits-apple-users-with-spyware-so-update-nowVerified
- Samsung phones infected with 'Landfall' spyware through WhatsApp images - what you need to knowhttps://www.tomsguide.com/computing/malware-adware/samsung-phones-infected-with-landfall-spyware-through-whatsapp-images-what-you-need-to-knowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, granular network policy enforcement, egress control, and advanced threat detection could have limited or detected the attacker’s ability to move laterally, capture data, or exfiltrate sensitive information in cloud-connected apps. Implementing CNSF controls would have compartmentalized access, restricted unauthorized communication paths, and provided real-time anomaly detection during exploitation.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious remote session activities are detected and an alert is generated.
Control: Zero Trust Segmentation
Mitigation: Unauthorized privilege escalation attempts are restricted.
Control: East-West Traffic Security
Mitigation: Unusual internal connection attempts are blocked or logged for investigation.
Control: Cloud Firewall (ACF)
Mitigation: Outbound command and control traffic is identified and blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data exfiltration attempts are thwarted.
Rapid detection and response minimize further damage.
Impact at a Glance
Affected Business Functions
- Customer Support
- Financial Transactions
- User Account Management
Estimated downtime: 3 days
Estimated loss: $3,000,000
Unauthorized access to sensitive user data, including financial information, personal identification details, and private communications, leading to potential identity theft and financial fraud.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce granular Zero Trust segmentation and access controls to minimize the risk of unauthorized lateral movement after credential compromise.
- • Implement continuous anomaly detection and real-time threat response for remote access and suspicious user behaviors.
- • Apply strict egress filtering and application-layer controls to prevent unauthorized exfiltration of sensitive data from cloud environments.
- • Centralize visibility and policy enforcement across multicloud and hybrid environments to accelerate incident detection and response.
- • Regularly educate users on social engineering risks and enforce security best practices for all communication and collaboration tools.
