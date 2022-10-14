A new malicious version of a popular WhatsApp messenger mod dubbed YoWhatsApp is doing the rounds, with more than a quarter of those affected (27%) coming from the META (Middle East, Turkey, Africa) region.

Popular for having features that the official app does not offer, this mod spreads the infamous Triada mobile Trojan, which is able to download additional Trojans, issue paid subscriptions, and even steal WhatsApp accounts.

YoWhatsApp is advertised in the popular Snaptube app and is also distributed via Vidmate. This makes the mod look much less suspicious to potential targets and expands the possible number of victims.

WhatsApp is one of the most popular messengers, used by millions of users worldwide, but not all of them are content with the features offered by the legitimate version. This is why some users prefer to download WhatsApp mods that provide offer more options, including custom backgrounds, different fonts, bulk messaging, or password-protected login to certain conversations.

These mods are not always secure, and Kaspersky previously discovered a different mod of WhatsApp, which also spreads the same mobile Trojan.

Advertising on popular platforms

With the aim of infecting as many users as possible, cyber criminals have turned to a new distribution scheme. They are now advertising the malicious mod in the popular Android app Snaptube, which is used to download videos from YouTube, Facebook, and Instagram.

Since the mod is being advertised on such a popular platform, used by hundreds of thousands of users globally, many of them are not even aware that this modification could be dangerous.

Kaspersky speculates that it’s likely, even Snaptube’s developers were not aware that the attackers have decided to take advantage of legitimate advertisement mechanism in their app.

YoWhatsApp is also being distributed via the Vidmate app, which in addition to being used for downloading YouTube videos, contains an unofficial Android app store.

Here, bad actors published a malicious version of YoWhatsApp called “Whatsapp Plus”, and because Vidmate is not an official app store, it is even easier to distribute malicious apps there.

How it works

To use the WhatsApp mod, users need to log in to their account of the legitimate app. Unfortunately, along with all the new features, users also get the Triada Trojan.

Once the victim is infected, bad actors download and run malicious payloads on their device, as well as get hold of the keys to their account on the official WhatsApp app.

As well as the permissions needed for WhatsApp to work properly, this gives attackers the ability to steal accounts and get money from victims by signing them up for paid subscriptions that they are not even aware of.

Stay safe

To stay safe, Kaspersky recommends only installing applications from official stores and reliable resources, and remembering to check which permissions are given to installed applications as some of them can be very dangerous.

Finally, always have a reliable mobile antivirus installed to detect and prevent possible threats.