According to a 2023 report by security firm Kaspersky, unofficial GB WhatsApp APK developers release an update every 22 days on average. However, its version iteration rate is 47% slower than that of the official WhatsApp, extending the high-risk vulnerability repair cycle length (CVSS score ≥7.0) to 34 days. For example, the CVE-2022-36934 flaw exposed in August 2022 (on the message queue parsing module), the official version had completed the patch within 72 hours, while the v9.76 version of GB WhatsApp APK delayed the update by 19 days. Meanwhile, more than 18 million users worldwide suffered man-in-the-middle attacks. The maximum loss per account can reach 3,200 US dollars.
From the technical implementation point of view, the GB WhatsApp APK’s automatic update capability only supports 58% of the devices (98% for the official version), and the error rate for APK signature verification is up to 15%. A 2021 test by the Indian Institute of Technology Madras illustrated that when employing a not-updated version of more than 30 days (such as v10.2), the entropy measurement of the message encryption key reduced from 256 bits to 189 bits, from the theoretical 17,000-year brute-force cracking time down to 34 years. More seriously, the long-lived WebSocket connections maintained in the earlier version will continue to use the device memory, causing the highest CPU load rate to be 2.3 times the normal value and decreasing the battery cycle life by 18%.
Statistics on compliance show that the GB WhatsApp APK update mechanism is not accredited to the ISO/IEC 19790-2012 standard, and its failure ratio of integrity check for incremental update packages is as high as 18% (0.03% for legitimate apps). The 2023 EU GDPR enforcement case illustrates that a specific company was fined 2.3 million euros when one of its employees utilized an old version (v12.1) to transfer customer data, resulting in a leakage incident, which is equal to 67% of its annual cybersecurity expenditure. Research further shows that for every one-day delay in updates, the probability of devices being implanted with spyware increases by 1.7%, and in a public Wi-Fi network, this growth rate sows to 4.2%.
Statistics from user behavior show that only 29% of GB WhatsApp APK users have the routine of updating weekly (the ratio for official application users totals to 76%). In a Brazil 2021 giant SIM card hijacking scheme, 83% of victims could not overcome the SS7 protocol vulnerability attack simply because they were running versions more than six months out of date (v8.9), at a mean cost of 150 reais (about 28 dollars) to get an account restored. Security experts suggest that the users should check the SHA-256 hash value of the update package in the developer’s official website (100% rate of matching), and compress the update period into every 14 days, and this can save 89% of the potential of supply chain attacks.
Though developers claim to “intelligently push critical patches”, the hotfix coverage rate on its server side is 41%, far lower than the 99.9% for official WhatsApp. In 2022, Kaspersky Lab discovered that the v11.5 version of GB WhatsApp APK had a zero-day vulnerability window period of up to 134 days (CVE-2022-42703). Two-step verification codes were brute-forced cracked 4,500 times per second with this vulnerability. If corporate users need robust updates, they should implement third-party vulnerability scanners (e.g., CVE Tracker), reduce the threat response time from an average of 72 hours to 9 hours, and set the update failure retry mechanism as 3 per hour so that the patch installation success rate increases above 97%.