AndroidIt’s all fun and games until it’s not a game, and Balloon Pop 2 is a woeful game but it is an excellent theft mechanism.

Balloon Pop 2 was likely developed by the same individuals who operate and control

This spyware application will steal the messaging history of the popular WhatsApp messaging service and upload the stolen information to

Since the malicious activity of this application was discovered the Balloon Pop 2 game has been removed from the Google Play market. Anyone who may still have this application installed on their device would be wise to remove it immediately.

The website claims to be a “back up” service for WhatsApp messages.  However, it’s difficult to lend any credibility to this claim due to the deceptive way in which the information is captured. The Balloon Pop 2 app never informs the victim that WhatsApp messaging information will be copied and uploaded to a website. There is no prompt for the user to confirm this activity, and there is no setting within the application to turn off the “backup” function. All that the user will ever see when playing the Balloon Pop 2 game is the game interface which, as security researcher Graham Cluley describes it, “is nothing to write home about.” The victims are likely to be completely unaware of the malicious activity taking place in the background.

Balloon Pop 2

Balloon Pop 2 does not wait long after it is installed on the device to start harvesting your WhatsApp messaging history, in fact it does not wait at all. Once the Balloon Pop 2 “game” is launched it immediately calls “com.ballonpop2.uploadtoserver.UploadToServer”. This is the first class called by the application and is responsible for following a hardcoded path to the WhatsApp messaging history and then making a copy of that file. The Balloon Pop 2 spyware copies all incoming and outgoing messages as well as profile pictures of the victim and their contacts and any photos that have been shared via the messaging service.


Next the spyware will upload the stolen data to the WhatsAppCopy website. To do so it calls “com.ballonpop2.uploadtoserver.Alarm”. Just for good measure, before the stolen WhatsApp messaging history is uploaded the “com.ballonpop2.uploadtoserver.Alarm” also harvests all login information for all other accounts saved on the device. In the experiment I performed with my own device I found that this spyware harvested the login credentials for my Gmail accounts, Facebook, Tumblr, Microsoft exchange, and my DropBox account. That is a pretty substantial haul of stolen information for the malware authors.

starting upload file

Once the information is uploaded to the WhatsAppCopy servers it is available for anyone to view. Yet another reason I have a hard time believing this is a “Backup” service, the stolen messaging history is publicly displayed. Simply by entering the victim’s phone number into the search bar anyone can view the victim’s WhatsApp messaging history. The WhatsAppCopy website then attempts to sell the complete messaging history for any phone number. None of the other stolen account login information is publicly displayed which is a small relief but what it is used for is likely undesirable. Following my own experiment I changed the passwords for all of my own accounts. I would recommend that if you encountered this spyware that you do the same.

This spyware highlights several privacy issues that all smartphone users should keep in mind. For Android users it is always important to review required permissions prior to installing any application. Out of place permission requests can be a dead giveaway that an application has hidden malicious intentions. For example, the Balloon Pop 2 application requires GET_ACCOUNTS permission which allows the spyware to capture the login credentials saved to the device; this is a completely unnecessary activity for a game application. Due to the number of cases of malware being published on Google Play, Android users should never take for granted that all apps published on Google Play can be trusted.

Second, with privacy being such a hot-button issue recently it is disconcerting that an application with the popularity of WhatsApp can be so easily hacked and the information stolen. WhatsApp has over 350 million active users, reportedly sending 16 billion messages a day. With such widespread use it is concerning to see such a lack of privacy protection. Anyone who is seriously concerned with their own virtual privacy should consider more secure, preferably encrypted, messaging services.

Finally, something for all Internet users to take note of – everyone leaves a digital trail. A good rule of thumb with regard to privacy and sharing on the internet is to not share anything with anyone that you would not want to become public. This rule applies to private online conversations as well as sharing photos or videos. Just ask the celebrities and politicians who have been making headline with inappropriate comments (Alec Baldwin), photos (Anthony Weiner) and videos (Rob Ford). The digital trail left behind by all online services does not disappear so easily.

Article WritingAbout Author:

James Green is a security researcher for Android antivirus company Armor for Android. James has worked in the Android security field for several years and provides privacy and security advice to Android users.