how to decrypt WhatsApp messages for Android

Sergio Caballero

29/11/2018 - Updated: 14/04/2019

how to decrypt WhatsApp messages for Android.

From the very beginning, at least in the operating systems Android,

Table of Contents
  1. From the beginning, at least on Android operating systems,
  2. WhatsApp Backups
  3. Victim's chat with a person 
  4. Decrypting the WhatsApp database for Android
  5. We already have the conversations, which have been imported from the WhatsApp database, but now we want to import them to save them.
  6. which opens the door for Forensic Analysts to access more data from the database and SIM.

the database of WhatsApp stored on the device has been kept encrypted,

to prevent someone from easily taking messages from conversations by simply accessing the database.

At iPhone has not performed in the same way, and has remained unencrypted for many versions.

Figure 1: Learn how to decrypt WhatsApp messages for Android without the encryption key.

Systematically, version after version of WhatsApp at Android

has been looking at how a forensic analyst could decipher the contents of a database of conversations.

Here we have seen how to do it with the databases in cyrpt4 format o further crypt5used by WhatsApp for Android.

In today's article I am going to explain how it is possible for someone with access to a device to decrypt the WhastApp backups at Android without the need for your password.

WhatsApp Backups

WhatsApp has as usual automatically generate a backup copy every day,

it saves your history of chats in your phone's memory or on a memory card,

Depending on the user's configuration, these are used to access all conversations at any given time.

Figure 2: Backups for this week of August 2017.

For this purpose, a file is created in the format msgstore-AAAA-MM-DD.1.db.crypt12 which is encrypted by a key that is generated on the device every time we install WhatsApp,

so we will only be able to use that key to decrypt all the backup copies of the database or bakupsencrypted with it.

Victim's chat with a person 

This is the process by which you can get access to a chat conversation from the daily copies of

so we will only be able to use that key to decrypt all the backup copies of the database or bakupsencrypted with it.

WhatsApp for Android if you have access to the mobile terminal.

WhatsApp for Android if you have access to the mobile terminal.

It was explained in an article some time ago how you can use Metasploit to control an Android terminaland it is what will be used to make the process too.

Figure 3: WhatsApp conversation to be accessed

First we are going to create a payload with msfvenom from our Kali Linux to create a backdoor in the victim's device.

As explained in the article in Stealing WhatsApp from Android with Metasploitwe are going to use is a APKmalicious created with msfvenom so that when the victim executes it on the terminal,

we can receive a session of Meterpreter in our Metasploit.

Figure 4: Creation of the malicious apk with msfvenom to do Reverse TCP Shell

Now we are going to use Metasploit Frameworkwe configure Metasploit with our data in order to listen to the request of the payloadWhen executed on the device, the session will appear.

Figure 5: Metasploit listener listens to receive TCP session
Figure 6: When the victim executes the msfvenom APK, we already have access to the Android terminal.

Once inside the victim's device, let's go to the WhatsApp on Android. I, by default, have it located in the sdcard.

Once inside the victim's device, let's go to the WhatsApp on Android. I, by default, have it located in the sdcard.

Here you can see the backups of the databases of the WhatsAp for AndroidThe new one, next to the one in use right now, which corresponds to "msgstore.db.crypt12".

Figure 7: WhatsApp for Android databases.

Once we access the database, we can access the WhatsApp and we have access to the target device, it remains for us to decrypt it.

If the target device has permissions root - i.e., it is rooted -We can skip this step until I explain how to obtain the private key,

since it would not be necessary to do an account theft, and it would be enough to use WhatsApp Viewer with the private key and the database.

A device with permissions of root allows the user to have administrative access to the system on the device and this makes it more vulnerable to hacking attacks. malware and execution of exploits.

But let's assume that we can't access the keyand what we are going to do is to generate a new backup copy of the database of WhatsApp on another device with the same chatsby taking advantage of the information that the servers of WhatsApp have of the devices.

That is, they can decrypt the databases without having the device's private key.

They keep those keys for "usability"This allows databases to be migrated from one device to another without the need to have the encryption key. Let's take a look at it.

Decrypting the WhatsApp database for Android

To do this process, we will use a second device in which we will install WhatsApp for Android.

In my case I will use an emulator of Android which has permissions of root and then import the backup copy that we bring back via Metasploit from the Now device,

we pass the database of WhatsApp that we have brought to the device Android in the emulator, inside the folder Databasesof the folder WhatsApp. If it does not appear, it is created.

Figure 8: Copying the database to the emulator

Now we open WhatsApp for Android in the emulator and enter the target's phone number to complete the registration process.

This will cause a confirmation message to be sent to the target terminal, which at this time is controlled by Metasploit.

This is the normal registration process for WhatsAppwhen the account is connected to a new device.

Figure 9: Registering WhatsApp for Android in the emulator

We need the verification code SMS so we go back to the session that we have from Metasploitwe download the messages SMS and open it with a text editor. I will use nano.

Figure 10: Accessing the SMS of the target terminal

We already have the verification code. Now all that remains is to restore. Of course, if the target had configured a process of Two-Step Verification in WhatsApp,

now we would not be able to continue, so if you have WhatsAppIf you do not have this protection, think about setting up this protection as soon as possible.

Figure 11: WhatsApp registration code accessed

Once you have finished restoring, we wait for the chats from WhatsAppfor Android this connection, which will remain active until the target re-verifies his account on his terminal,

as you will not be able to use it there. In addition, all contacts will be alerted that the private key of WhatsApp of this contact has changed, so it's not exactly a silent process.

Figure 12: Restoring the WhatsApp database in the emulator.

We already have the conversations, which have been imported from the database of WhatsAppbut now we want to import them to save them.

This is because the servers of WhtasApp store information to do this process, and we have used it to decrypt the database without needing to have the encryption keys of the target device.

Figure 13: Conversations imported from the device

This is important because it means that WhatsApp stores enough information on the servers to decrypt any database from any terminal regardless of whether the key is available or not,

which opens the door to Forensic Analysts to access to more data having the database and the SIM.

  1. Exporting conversations with WhatsApp Viewer
  2. We are now going to make a backup with WhatApp to encrypt those conversations again, but with the key that was generated by installing WhatsApp in the emulator.
  3. This will allow us to access the new database and the encryption key that has been generated in the emulator.
    Figure 14: Generating a backup of the WhatsApp database

    Now, we locate the key that is on this device, which is located at "/data/data/com.whatsapp/files" in addition to accessing the newly backed up database of messages from WhatsApp we have created.

    Figure 15: Database created with the backup in the emulator
    Figure 16: Key created by WhatsApp for this device.
    You need to be root to access it.

    Very good. We have everything we need to be able to decipher it.

  4. A database of WhatsApp and the encryption key used. Now all that remains is to open the database with WhatsApp Viewer.
    Figure 17: Passing the database and key to WhatsApp Viewer

    This will generate a database which we will reopen with WhatsApp Viewerand will allow us to access the conversations, these can also be exported to other types of files.

    Figure 18: The entire database is decrypted and available for export

    As seen here, because WhatsApp allows decryption of databases generated and encrypted on the device 

    A in a new device

    B without having the device encryption key Bwe have been able to extract a database of one WhatsApp for Android without root and decrypt it with the information from the servers of WhatsApp.

    Figure 19: How to decrypt WhatsApp for Android database without encryption key

    To follow the process step by step, I have made this small accelerated video that collects each and every one of the commands that must be done to replicate this process.

    Finally, I recommend that you read the article by Bulletproof your WhatsAppwhich would help to prevent this process from succeeding, if you have correctly configured all the protection measures,

    as this could be used by criminals to spy WhatsApp.

    Best regards,

Leave a Reply

Go up

Cookies on this website are used to personalize content and ads, provide social media features and analyze traffic. More information

en_USEnglish
en_USEnglish es_ESSpanish (Spain) fr_FRFrench es_MXSpanish (Mexico)