From data privacy violations to fake applications, WhatsApp has been in the news for various reasons since the beginning of 2021. The popular instant messaging service provider has sustained a new kind of malware attack lately. A threat analysis report from Kaspersky uncovered a modified yet malicious version of WhatsApp tracked as FMWhatsapp that is distributing Triada mobile Trojan. The fake WhatsApp version displays malware-infused ads, accesses users’ SMSs, and downloads other Trojans.
Malicious WhatsApp Version
Threat actors are luring users to install the modified version of WhatsApp, which reportedly provides additional features than the official one. Once the user installs and starts using the app, fraudsters start their malicious activities by distributing malicious code via unwanted ads. Initially, FMWhatsapp compromises user devices and automatically downloads Trojans.
The Trojans then launch ads, issue paid subscriptions to the device owner, intercepting the SMS to confirm login, and exposing the victim device to other threats. In addition, the Triada Trojan automatically installs the MobOk Trojan that opens a subscription page in an invisible window and clicks the subscribe button for the user.
“With this app, it is hard for users to recognize the potential threat because the mod application does what is proposed – it adds additional features. However, we have observed how cybercriminals have started to spread malicious files through the ad blocks in such apps. That is why we recommend you only use messenger software downloaded from official app stores. They may lack some additional functions, but they will not install a bunch of malware on your smartphone,” said Igor Golovin, a security expert at Kaspersky.
Different types of malware downloaded by FMWhatsapp include:
- Trojan-Downloader.AndroidOS.Agent.ic. This malware downloads and launches other malicious modules.
- Trojan-Downloader.AndroidOS.Gapac.e. – displays full-screen ads when users least expect them to pop up.
- Trojan-Downloader.AndroidOS.Helper.a – downloads and launches the xHelper Trojan installer module. It also runs invisible ads in the background to increase the number of views they get.
- AndroidOS.MobOk.i – signs the device owner up for paid subscriptions.
- AndroidOS.Subscriber.l – serves to sign victims up for premium subscriptions.
- AndroidOS.Whatreg.b – signs into WhatsApp accounts on the victim’s phone. The malware gathers information about the user’s device and mobile operator, then sends it to the command-and-control server.
Indicators of Compromise (IOC)
- MD5
Trojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de
- C&C
http://t1k22.c8xwor[.]com:13002/
https://dgmxn.c8xwor[.]com:13001/
Protective Measures
Security experts from Kaspersky recommended specific measures to protect against malicious applications like FMWhatsapp. These include:
- Only install applications from official stores and reliable resources.
- Remember to check which permissions you give to the installed applications – some of them can be very dangerous.
- Install a reliable mobile antivirus on your smartphone to detect and prevent possible threats.
