Concern in Brazil about messaging app security

Bnamericas Published: Wednesday, July 03, 2019
Concern in Brazil about messaging app security

Can a messaging app like Telegram be hacked? The question has gained relevance in Brazil, where leaked messages between a federal judge and Lava Jato prosecutors has raised ethical questions and created a political scandal.

Last month, investigative news site The Intercept published the report that has come to be known as “Vaza (leak) Jato” based on leaked Telegram messages between then-federal judge Sergio Moro and lead prosecutor Deltan Dallagnol that suggested there was collusion between the two in jailing popular leftist ex-president Luiz Inácio Lula da Silva – who was the biggest obstacle standing in the way of then-candidate and current President Jair Bolsonaro.

Moro and the prosecutors’ claim that their phones were hacked is being investigated by the federal police, while The Intercept will not reveal how it got access to the messages.


Telegram, like WhatsApp, claims that messages are protected with end-to-end encryption and cannot be seen by third parties. But Telegram goes beyond encryption and says its chats have a self-destruction feature that erases messages once read.

“Sometimes databases on both ends of communication are cryptographed, but the middle of it, the physical infra, is not. This could pose a risk for interception,” Fernando Capella, country manager of Ciena in Brasil, told BNamericas.

Ciena is one of main suppliers of telecommunications networking equipment, particularly optical transport solutions.

Telegram also says that its two-step verification is “unbreakable.” The process demands generating a password that will be required every time users log into their account from a new device, in addition to a code sent via SMS.

“The two-step verification adds a password to the SMS code. So even if someone has cloned your cellphone SIM card, that person cannot sign in without the password,” Telegram said on a Twitter post after the Vaza Jato case broke.


According to Luis Corrons of digital security firm Avast, someone could have infected Moro's phone with Remote Access Tool (RAT) spyware in the Vaza Jato case.

This can happen via phishing, i.e., sending a malicious SMS to the victim's phone tricking the user to click on a link that activates the download of a spyware.

Another possibility is that weak device PINs were used by Moro or the prosecutors, which could have allowed someone to easily access and copy the messages, or even install spyware for remote monitoring.

Fábio Assolini, senior security researcher at Kaspersky, has a similar view. He thinks a third party could have gained physical access to an unattended and unprotected device and downloaded a spy or remote access Trojan.

Another possibility is a security vulnerability known as remote code execution (RCE), which allows an attacker to execute codes from a remote server as recently happened in WhatsApp.


One of the most likely techniques applied in the case, however, is “SIM-SWAP,” generally used by hackers colluding with employees of the mobile operator, who have access to the victim's number on another chip or SIM card.

A traditional attack known as SS7 hack is another possibility.

This attack takes advantage of a vulnerability in the design of the Signaling System 7 (SS7), which is the basis of the mobile phone network infrastructure. The SS7 is a protocol that connects the different mobile networks by allowing them to exchange calls and messages.

A hack at this point allows data theft, calls eavesdropping, location tracking and even intercepting messages from instant messaging applications.

According to Kaspersky, SS7 attacks were initially used by espionage agencies, the most famous case being the NSA espionage program exposed by whistleblower Edward Snowden in 2013, which brought to light the fact that the US agency had been spying on Brazil’s then-president Dilma Rousseff was a target.

Following the scandal, Brazilian army and intelligence officials recommended that the country’s authorities use secure phones, which are not compatible with social media and messenger apps, the kind currently favored by WhatsApp and Twitter aficionado Bolsonaro.

At the corporate level, another problem in Brazil is the overall slow detection and late response to cyberattacks or data breaches.

Speaking at the Ciab Febraban finance technology event in São Paulo last month, Yanis Stoyannis, Embratel‘s manager of cybersecurity and innovation, said that, globally, the average time to detect a cyberattack last year was 197 days. In contrast, Brazil needed 240 days on average, and up to an additional 100 days to contain the invasion.

Subscribe to the most trusted business intelligence platform in Latin America. Let us show you our solutions for Suppliers, Contractors, Operators, Government, Legal, Financial and Insurance.

Subscribe to Latin America’s most trusted business intelligence platform.

Other projects in: ICT

Get critical information about thousands of ICT projects in Latin America: what stages they're in, capex, related companies, contacts and more.

Other companies in: ICT (Brazil)

Get critical information about thousands of ICT companies in Latin America: their projects, contacts, shareholders, related news and more.

  • Company: Hispamar Satélites S.A.  (Hispamar Satélites)
  • Hispamar Satélites (Hispamar) is located in Rio de Janeiro, Brazil and is a subsidiary of Hispasat Group, a Spanish telecommunication satellite operator. Hispamar was founded in...
  • Company: Oi S.A.  (Oi)
  • Oi is a Brazilian quad-play telco established in 1998. Its service portfolio includes fixed-line and mobile telephony, broadband, pay-TV, Internet and others for residential cli...
  • Company: Brisanet Telecomunicações S.A.  (Brisanet)
  • The description included in this profile was taken directly from an official source and has not been modified or edited by BNamericas’ content team. However, it may have been au...