IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Widely-used WhatsApp mod stuffed with malware

FMWhatsApp is embedded with the Triada Trojan which tracks device information and intercepts texts

A widely-used modified version of WhatsApp has been Trojanised by the Triada malware, with users susceptible to having their personal information and messages intercepted.

WhatsApp variants, like the vulnerable FMWhatsApp, are often downloaded because users sometimes feel the official app lacks useful features, whether these are animated themes or self-destructing messages. 

These mods are developed by amateurs that contain ads, usually in the form of banners displayed on various screens and menus. The Triada Trojan sneaked into the FMWhatsApp 16.8.0 variant alongside its advertising software development kit (SDK), according to researchers with Kaspersky.

This might be of particular concern to businesses whose employees routinely use WhatsApp to communicate, specifically those who have opted for alternatives to the official version due to the additional functionality these variants offer. These are only available through third-party websites.

The Trojanised version that Kaspersky has identified gathers unique device identifiers, including Device IDs, Subscriber IDs, MAC addresses, as well as the name of the app package when they’re deployed. 

When the app is launched, this information is collected and sent to a remote server to register the device. It responds by sending a link to a payload, which the Trojan downloads, decrypts and launches.

At this stage, there are actually several pieces of malware that beam to a victim’s device. Trojan-Downloader.AndroidOS.Agent.ic downloads and launches other malicious modules alongside Trojan-Downloader.AndroidOS.Gapac.e, which also displays full-screen ads when users least expect it. 

Related Resource

The technology of trust

How to protect your most valuable commodity

The technology of trust- whitepaper from OktaDownload now

Trojan-Downloader.AndroidOS.Helper.a downloads and launches the xHelper Trojan installer module, and also runs invisible ads in the background to increase the number of views they get. Trojan.AndroidOS.MobOk.i then signs the device owner up for paid subscriptions, alongside the Trojan.AndroidOS.Subscriber.l module.

Finally, Trojan.AndroidOS.Whatreg.b signs in WhatsApp accounts on the victim’s phone. The malware gathers device information and sends it to the command and control (C&C) server. It responds with an address to request a confirmation code, and other information to sign in, in such a way that mimics the official WhatsApp protocol. 

“It’s worth highlighting that FMWhatsApp users grant the app permission to read their SMS messages, which means that the Trojan and all the further malicious modules it loads also gain access to them,” said Kaspersky researcher Igor Golovin.

“This allows attackers to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process.

“We don’t recommend using unofficial modifications of apps, especially WhatsApp mods. You may well end up with an unwanted paid subscription, or even [lose] control of your account altogether, which attackers can hijack to use for their own purposes, such as spreading spam sent in your name.”

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022