Pierluigi Paganini August 25, 2021

Experts spotted a modified version of WhatsApp for Android, which offers extra features, but that installs the Triada Trojan on the devices.

Researchers from Kaspersky spotted a modified version of WhatsApp for Android, which offers extra features, but which installs the Triada Trojan on the devices.

WhatsApp users sometimes look for mods that offer extra features such as animated themes, self-destructing messages which automatically delete themselves, the option of hiding certain conversations from the main list, automatic translation of messages. These modified versions of the popular instant messaging app usually contain ads.

The version discovered by Kaspersky is called FMWhatsapp 16.80.0 together, experts also discovered the advertising software development kit (SDK) that included the downloader for the malicious payload.

“The Trojan Triada snuck into one of these modified versions of the messenger called FMWhatsApp 16.80.0 together with the advertising software development kit (SDK),” reads the analysis published by Kaspersky.”This is similar to what happened with APKPure, where the only malicious code that was embedded in the app was a payload downloader.”

Upon launching the app, it will gather unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) and the name of the app package where they’re deployed. These data are sent to a remote server to register the device, which in turn responds by sending a link to a payload which the Triada Trojan downloads, decrypts, and launches.

The malicious payload could be used to conduct a wide range of malicious activities, including downloading additional modules, stealthily subscribing the victims to premium services, and signing into WhatsApp accounts on the device.

The attackers can also take control of the WhatsApp accounts and spread spam sent on behalf of the victims.

“It’s worth highlighting that FMWhatsapp users grant the app permission to read their SMS messages, which means that the Trojan and all the further malicious modules it loads also gain access to them. This allows attackers to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process.” concludes Kaspersky. “We don’t recommend using unofficial modifications of apps, especially WhatsApp mods. You may well end up with an unwanted paid subscription, or even loose control of your account altogether, which attackers can hijack to use for their own purposes, such as spreading spam sent in your name.”

Experts also shared Indicators of Compromise (IoCs) for this modified version.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp)

[adrotate banner=”5″]

[adrotate banner=”13″]