Security researchers are warning of a malicious version of a popular WhatsApp messenger mod FMWhasapp, which delivers the Triada trojan capable of downloading additional malware, launching ads, issuing subscriptions, and intercepting a user’s SMSs.
FMWhatsapp is one of the more popular WhatsApp mod apps that claims to offer more features that the original app doesn’t have, however, FMWhatsapp 16.80.0 version discovered by Kaspersky researchers comes with a nasty surprise in the form of the Triada trojan and the advertising software development kit (SDK).
Once the malicious app is launched, the malware collects unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) and the name of the app package where they’re deployed. This information is then sent to a remote server to register the device, which in response sends a link to a payload, which the trojan downloads, decrypts and launches.
Kaspersky researchers observed Triada downloading and launching a bunch of additional malicious programs on the infected devices, including:
Trojan-Downloader.AndroidOS.Agent.ic, which downloads and launches other malicious modules.
Trojan-Downloader.AndroidOS.Gapac.e, which also installs other malicious modules and displays full-screen ads.
Trojan-Downloader.AndroidOS.Helper.a installs the xHelper Trojan installer module. It also runs invisible ads in the background to increase the number of views they get.
Trojan.AndroidOS.MobOk.i signs the device owner up for paid subscriptions.
Trojan.AndroidOS.Subscriber.l also signs up victims up for premium subscriptions.
Trojan.AndroidOS.Whatreg.b signs in WhatsApp accounts on the victim’s phone. The malware gathers information about the user’s device and mobile operator, then sends it to the command and control server (C&C server). The server responds with an address to request a confirmation code and other information required to sign in.
“It’s worth highlighting that FMWhatsapp users grant the app permission to read their SMS messages, which means that the Trojan and all the further malicious modules it loads also gain access to them. This allows attackers to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process,” the researchers said.
“We don’t recommend using unofficial modifications of apps, especially WhatsApp mods. You may well end up with an unwanted paid subscription, or even lose control of your account altogether, which attackers can hijack to use for their own purposes, such as spreading spam sent in your name.”