As per a Sensor Tower report, a company that provides mobile application analytics, in 2023, nearly 68 million users globally operate two or more accounts concurrently using WhatsApp GB. But its technical execution is based on an unoffatically hacked APK signature mechanism, which has a device compatibility failure rate of up to 23%. For example, the chance of the users of the Samsung One UI 5.0 system to fail in data synchronization using the WhatsApp GB double-opening feature is 4.7 times that of the native app, and on average, they must manually repair the database 3.2 times a month. In a 2022 Indonesia business espionage case, the perpetrator broke into five enterprise accounts on the same device via WhatsApp GB to steal sensitive information. Finally, an APK signature conflict caused the generation of metadata anomalies, and Meta’s security system detected and banned all the involved devices.
From the technical architecture perspective, the multi-account functionality of WhatsApp GB is provided by modifying Android’s “User profile” sandboxing mechanism. The error rate in allocating the storage space as high as 18% inside its sandboxing environment results in nine times increased cross-account data leakage risk compared to the official containerization implementation. Tests done by the cybersecurity firm Trend Micro in 2021 indicated that on phones equipped with the Snapdragon 888 chip, while running WhatsApp GB dual accounts concurrently, the maximum CPU usage rate rose to 47%, power consumption rose by 62% in comparison to the single-account scenario, and the likelihood of system-forced shutdown of background activities rose to 1.8 times an hour. More concerning is that the authentication of its cloned form of digital certificates has been circumvented, boosting the success rate of man-in-the-middle attacks (MITM) from 0.3% to 12%. Particularly in the public Wi-Fi space, the likelihood of user session keys interception is as much as 34%.
At the compliance level, WhatsApp GB’s multi-account module breaks Google Play Store’s “Single Identity Principle”. Its data storage route has not been subject to the FIPS 140-2 encryption validation, and its mean residual size of switching account temporary files is 38MB per switch. That is 21 times WhatsApp Business’s official enterprise version’s amount. In 2023, an European Court of Justice case law illustrated that a cross-border e-commerce company was fined 2.2 million euros because its employees were utilizing WhatsApp GB to manage 17 customer accounts, which contravenes the GDPR data minimization principle and represents 9.3% of its net annual profit. Furthermore, the device fingerprint information generated through multi-account login (such as IMEI hash values and screen resolution pairs) will be captured by third-party ad SDKs. The accuracy of user profiling has been boosted to 93%, and advertising push frequency has risen from 4.2 times per day on average to 17 times.
User behavior metrics show that of WhatsApp GB multi-account holders, only 41% have enabled two-factor authentication, compared to 79% of the official app holders on the same device. A 2022 survey conducted by Brazilian telecom company Vivo found that users of WhatsApp’s GB dual SIM dual standby feature had up to a 15% error rate in SIM card recognition, and the rate of call disconnection caused by signal switching increased to 6.7 times per month, 3.1 times higher than for users with single SIMs. Security experts advise that if more than one account is to be used, a hardware-level isolation solution (such as Samsung Knox Secure Folder) be adopted to reduce the threat of data intrusion between accounts from 28% to 0.7% and keep the failure rate of biometric authentication within 0.05%.
Although WhatsApp GB claims to support “unlimited accounts”, its own code limits the active sessions available to use simultaneously to three (by Android 10 and later’s JobScheduler mechanism). Once the maximum is hit, the rate of delayed messages jumps from 300ms to more than 8 seconds. According to Kenya Cybersecurity Centre 2023 monitoring, WhatsApp GB four-account users have 13 times greater probabilities of being subjected to RCE attacks compared to normal users, and their average account cost to restore backup data is $14.5. Enterprise users are recommended to favor the use of the original WhatsApp Business API. The QPS of its multi-account management interface is up to 1,500 times, the error rate is less than 0.01%, and the risk of authorization leakage is compressed to 0.0003% according to the OAuth 2.0 protocol