A Trojanized WhatsApp application for Android has been spotted to deliver malware, show full-screen advertisements, and sign up for unwanted subscriptions without the user’s knowledge.
In a revelation published on Tuesday, a group of Russian researchers from the cybersecurity firm Kaspersky discovered that the Triada Trojan has sneaked into a modified version of the popular messaging app. Distributed under the name of FMWhatsApp 16.80.0, the modified version comes along with the Trojan and an advertising software development kit (SDK).
Using modified copies of genuine Android applications is a common malicious practice known as Modding. Malicious actors use it to integrate new features that weren’t in the original app.
According to the technical write-up, FMWhatsApp is distributed as a custom build of the original WhatsApp messaging app that can be found in third-party websites. The modified version offers various themes and provides users with the options to customize icons and even deactivate features like Last Seen and video calling. The app is only accessible through sites other than the original WhatsApp’s developers site.
The manipulated version found by Kaspersky’s researchers comes with the ability to collect unique device IDs which are transmitted back to a remote server with a payload link that is then downloaded, encrypted and executed by the Trojan Triada.
A disturbing discovery that the researchers are highlighting is that the FMWhatsApp application requires users to grant it access to their SMS and other system permissions, which allows the Trojan and all its future harmful modules to read SMS messages. Attackers may use this to enroll victims in premium memberships automatically, even in cases when a confirmation code is needed for the subscription.
In addition to reading SMS, downloading additional tools and displaying full-screen ads, the payload is capable of carrying out a wide range of malicious activities, such as signing the victim into WhatsApp and into premium services without their knowledge, as well as stealthily subscribing them to services. The malicious actors behind the tampered WhatsApp variant also have the ability to hijack and take control of WhatsApp accounts, thereby spreading malware and infecting other devices.
To keep away from the threat, users are advised to download only the original WhatsApp application from the original developer and avoid third-party sources of this software.