Malicious code spreads through WhatsApp mod

Read time 1min 50sec

A malicious version of a popular WhatsApp messenger, FMWhatsapp mod or unofficial modification of the app, has been discovered by Kaspersky.

This particular version spreads the Triada mobile Trojan, which downloads other Trojans and can launch ads, issue subscriptions, as well as intercept SMSes.

According to Kaspersky, while WhatsApp may be among the most popular IM apps, not everyone is satisfied with its features. Many want a more user-friendly version and are tempted to install mod versions of the app, which offer a slew of additional options. These include the ability to read deleted messages, and to select dynamic templates.

Mod apps often feature adds, as their authors attempt to monetise their work, and bad actors seek to take advantage of this by distributing malware through this advertising.

In the malicious version of the FMWhatsapp mod, the Triada Trojan acts as a mediator, initially collecting data about the user's smartphone and then, on command, downloading one of the other Trojans to the device.

The additional Trojans have the ability to independently launch ads, issue paid subscriptions to the device owner and even log into the WhatsApp account, intercepting the SMS to confirm login – leaving the victim vulnerable to illegal activity through their phone.

Igor Golovin, a security expert at Kaspersky, says in this instance it is difficult for users to recognise the potential threat because the mod application actually does what it promises to, by adding additional features.

“However, we have observed how cyber criminals have started to spread malicious files through the ad blocks in these apps. That is why we recommend users only use messenger software downloaded from official app stores,” he adds.

Kaspersky solutions detected the malicious implant as Trojan.AndroidOS.Triada.ef.

To protect against this sort of threat, Kaspersky experts recommend to only instal applications from official stores and reliable resources, and to check which permissions are given to installed applications – some of them can be very dangerous.

See also