Malware

YoWhatsApp, unofficial WhatsApp Android app spreads the Triada Trojan

Kaspersky researchers warn of a recently discovered malicious version of a popular WhatsApp messenger mod dubbed YoWhatsApp.

Kaspersky researchers discovered an unofficial WhatsApp Android application named ‘YoWhatsApp’ that steals access keys for users’ accounts.

Mod apps are advertised as unofficial versions of legitimate apps that have features that the official one does not supports. YoWhatsApp is a fully working messenger with supports additional features, such as customizing the interface or blocking access to individual chats.

The tainted WhatsApp version asks for the same permissions as the original messenger app, such as access to SMS.

“To use the WhatsApp mod, users need to log in to their account of the legitimate app. However, along with all the new features, users also receive the Triada Trojan. Having infected the victim, attackers download and run malicious payloads on their device, as well as get hold of the keys to their account on the official WhatsApp app.” reported Kaspersky. “Along with the permissions needed for WhatsApp to work properly, this gives them the ability to steal accounts and get money from victims by signing them up for paid subscriptions that they are not even aware of.”

This mod delivers the Triada Trojan, which can drop other malicious payloads, issue paid subscriptions, and even steal WhatsApp accounts. According to Kaspersky, more than 3,600 users have been targeted in the last two months.

The YoWhatsApp Android app was advertised in the official Snaptube app.

The experts also found the malicious app build into the popular Vidmate mobile app, which is designed to save and watch videos from YouTube. Unlike Snaptube, the malicious build was uploaded to the internal store, which is part of Vidmate

Kaspersky researchers reported that YoWhatsApp v2.22.11.75 steals WhatsApp keys, allowing threat actors to take over users’ accounts.

In 2021, Kaspersky spotted another modified version of WhatsApp for Android, which was offering extra features, but that was used to deliver Triada Trojan.

The modified version is called FMWhatsapp 16.80.0.

The experts also discovered the adv for software development kit (SDK) that included the downloader for the malicious payload.

The FMWhatsapp was designed to gather unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) and the name of the app package where they’re deployed.

To stay safe, the researchers recommend:

  • Only installing applications from official stores and reliable resources
  • Remembering to check which permissions you give installed applications – some of them can be very dangerous
  • Installing a reliable mobile antivirus on your smartphone, such as Kaspersky Internet Security for Android. It will detect and prevent possible threats.

“Cybercriminals are increasingly using the power of legitimate software to distribute malicious apps. This means that users who choose popular apps and official installation sources, may still fall victim to them. In particular, malware like Triada can steal an IM account, and for example, use it to send unsolicited messages, including malicious spam.” concludes Kaspersky. “The user’s money is also at risk, as the malware can easily set up paid subscriptions for the victim.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, YoWhatsApp)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

1 hour ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.