25 August 2021

Malicious WhatsApp mod delivers Triada trojan


Malicious WhatsApp mod delivers Triada trojan

Security researchers are warning of a malicious version of a popular WhatsApp messenger mod FMWhasapp, which delivers the Triada trojan capable of downloading additional malware, launching ads, issuing subscriptions, and intercepting a user’s SMSs.

FMWhatsapp is one of the more popular WhatsApp mod apps that claims to offer more features that the original app doesn’t have, however, FMWhatsapp 16.80.0 version discovered by Kaspersky researchers comes with a nasty surprise in the form of the Triada trojan and the advertising software development kit (SDK).

Once the malicious app is launched, the malware collects unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) and the name of the app package where they’re deployed. This information is then sent to a remote server to register the device, which in response sends a link to a payload, which the trojan downloads, decrypts and launches.

Kaspersky researchers observed Triada downloading and launching a bunch of additional malicious programs on the infected devices, including:

  • Trojan-Downloader.AndroidOS.Agent.ic, which downloads and launches other malicious modules.

  • Trojan-Downloader.AndroidOS.Gapac.e, which also installs other malicious modules and displays full-screen ads.

  • Trojan-Downloader.AndroidOS.Helper.a installs the xHelper Trojan installer module. It also runs invisible ads in the background to increase the number of views they get.

  • Trojan.AndroidOS.MobOk.i signs the device owner up for paid subscriptions.

  • Trojan.AndroidOS.Subscriber.l also signs up victims up for premium subscriptions.

  • Trojan.AndroidOS.Whatreg.b signs in WhatsApp accounts on the victim’s phone. The malware gathers information about the user’s device and mobile operator, then sends it to the command and control server (C&C server). The server responds with an address to request a confirmation code and other information required to sign in.

“It’s worth highlighting that FMWhatsapp users grant the app permission to read their SMS messages, which means that the Trojan and all the further malicious modules it loads also gain access to them. This allows attackers to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process,” the researchers said.

“We don’t recommend using unofficial modifications of apps, especially WhatsApp mods. You may well end up with an unwanted paid subscription, or even lose control of your account altogether, which attackers can hijack to use for their own purposes, such as spreading spam sent in your name.”


Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021