WhatsApp version distributes Triada Trojan

A Trojanized WhatsApp application for Android has been spotted to deliver malware, show full-screen advertisements, and sign up for unwanted subscriptions without the user’s knowledge.

Triada Trojan

In a revelation published on Tuesday, a group of Russian researchers from the cybersecurity firm Kaspersky discovered that the Triada Trojan has sneaked into a modified version of the popular messaging app. Distributed under the name of FMWhatsApp 16.80.0, the modified version comes along with the Trojan and an advertising software development kit (SDK).

Using modified copies of genuine Android applications is a common malicious practice known as Modding. Malicious actors use it to integrate new features that weren’t in the original app.

According to the technical write-up, FMWhatsApp is distributed as a custom build of the original WhatsApp messaging app that can be found in third-party websites. The modified version offers various themes and provides users with the options to customize icons and even deactivate features like Last Seen and video calling. The app is only accessible through sites other than the original WhatsApp’s developers site.

The manipulated version found by Kaspersky’s researchers comes with the ability to collect unique device IDs which are transmitted back to a remote server with a payload link that is then downloaded, encrypted and executed by the Trojan Triada.

A disturbing discovery that the researchers are highlighting is that the FMWhatsApp application requires users to grant it access to their SMS and other system permissions, which allows the Trojan and all its future harmful modules to read SMS messages. Attackers may use this to enroll victims in premium memberships automatically, even in cases when a confirmation code is needed for the subscription.

In addition to reading SMS, downloading additional tools and displaying full-screen ads, the payload is capable of carrying out a wide range of malicious activities, such as signing the victim into WhatsApp and into premium services without their knowledge, as well as stealthily subscribing them to services. The malicious actors behind the tampered WhatsApp variant also have the ability to hijack and take control of WhatsApp accounts, thereby spreading malware and infecting other devices.

To keep away from the threat, users are advised to download only the original WhatsApp application from the original developer and avoid third-party sources of this software.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment