Kaspersky researchers discovered a new malicious version of a popular WhatsApp messenger mod dubbed YoWhatsApp.
Popular for having features that the official app does not offer, this mod spreads the notorious Triada mobile Trojan.
According to cybersecurity experts, the Trojan can download other Trojans, issue paid subscriptions, and even steal WhatsApp accounts.
Users around the world were affected by this threat in the last two months, and more than a quarter of them, 27% from the META (Middle East, Turkey, Africa) region. Within the META region, 27% of users affected were from African countries.
This new malicious mod is advertised in the popular Snaptube app and is also distributed via Vidmate.
This makes the mod look much less suspicious to potential targets and expands the possible number of victims.
WhatsApp is one of the most popular messengers, used by millions of users worldwide, but not all of them are satisfied with the features offered by the legitimate application.
Thus, some users prefer to download WhatsApp mods that provide far more options, such as custom backgrounds and fonts for chats, bulk messaging, or password-protected login to certain conversations.
However, such mods are not always secure. Previously, Kaspersky had already discovered another modification of WhatsApp, which also spreads the dangerous Triada mobile Trojan. And now, researchers have witnessed that fraudsters continue to take advantage of the popularity of the globally recognised messenger by creating new malicious modifications, such as some versions of so-called YoWhatsApp.
To infect as many users as possible, cybercriminals have resorted to a new distribution scheme. They now advertise the malicious YoWhatsApp mod in the popular Android app Snaptube, which is used to download videos from YouTube, Facebook, and Instagram.
Since YoWhatsApp is being advertised in the Snaptube app used by hundreds of thousands of users around the world, many of them are not even aware that this modification could be dangerous.
Most likely, even Snaptube’s developers were not aware that the attackers have decided to take advantage of legitimate advertisement mechanism in their app.
YoWhatsApp is also being distributed via the Vidmate app. In addition to being used for downloading YouTube videos, this app contains an unofficial Android app store.
Here, attackers published a malicious version of YoWhatsApp called “Whatsapp Plus”. Since Vidmate is not an official app store, the likelihood of malicious apps being distributed there increases several times over – and the appearance of Whatsapp plus, which infects users with the Triada Trojan, is an example of this.
To use the WhatsApp mod, users need to log in to their account of the legitimate app. However, along with all the new features, users also receive the Triada Trojan.
Having infected the victim, attackers download and run malicious payloads on their device, as well as get hold of the keys to their account on the official WhatsApp app.
Along with the permissions needed for WhatsApp to work properly, this gives them the ability to steal accounts and get money from victims by signing them up for paid subscriptions that they are not even aware of.
“Advertising in legitimate applications is a very cunning way for criminals to spread malicious applications, as many users believe that, if the application they are using is safe, then any advertising on it does not carry any risks either. However, as we can see, this is not always the case, so we recommend that users download applications only from official app stores. They will not always carry the same large number of custom features, but they will definitely be much safer for you, reducing the possibility of losing your account or reducing your money to a minimum,” comments Anton Kivva, security researcher at Kaspersky.
Kaspersky solutions detected the malicious implant as Trojan.AndroidOS.Triada.eq and Trojan-Dropper.AndroidOS.Triada.bd.
