SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Kaspersky uncovers malicious version of Whatsapp mod
Thu, 26th Aug 2021
FYI, this story is more than a year old

A malicious version of FMWhatsapp, the popular WhatsApp mod (an unofficial modification of popular instant messaging application WhatsApp), has been discovered.

Recently discovered by cybersecurity firm Kaspersky, the dangerous version of the Whatsapp modification spreads the Triada mobile Trojan, which downloads other Trojans and can launch ads, issue subscriptions and intercept a user's SMSs, leaving the user vulnerable to illegal activity through their phone.

Despite WhatsApp being one of the most popular apps for instant mobile messaging, not all users are satisfied with its features and some are tempted to install modified versions (mods), seeking the most user-friendly version.

These mods provide the user with more options than the official app, such as choosing personalised themes, hiding certain features or reading deleted messages.

The creators of these apps publish ads to monetise their work, and, according to Kaspersky, fraudsters are taking advantage of this, distributing malicious code through advertising.

One example of this is FMWhatsapp 16.80.0 version, which includes the Triada Trojan and one of the ad libraries.

This Triada Trojan acts as a mediator, collecting data about the user's mobile device and then, at the owner's command, downloads one of the other Trojans to the smartphone, the cybersecurity firm explains. These Trojans can independently launch ads, issue paid subscriptions to the device owner and even log into their WhatsApp account, intercepting the SMS to confirm login.

According to Kaspersky, the outcome is that the device owner is left vulnerable to illegal activity through their phone.

Downloaded by Triada, the MobOk Trojan opens a subscription page in an invisible window and clicks the ‘subscribe' button for the user.

“It is hard for users to recognise the potential threat with this app, because the mod does what is proposed – it adds additional features," says Noushin Shabab, senior security researcher at Kaspersky.

"But we've seen how cybercriminals are spreading malicious files through the ad blocks in such apps, and it's putting the users at risk,” she says.

“This is why we recommend only using messenger software downloaded from official app stores," Shabab says.

"They may lack some additional functions, but they won't install a bunch of malware on your smartphone that could put you in a potentially vulnerable position," she explains.

“It's also important to remember to check which permissions you give installed applications, as some of them can be very dangerous," Shabab adds.

Kaspersky solutions detected the malicious implant as Trojan.AndroidOS.Triada.ef.