Kaspersky researchers discovered an unofficial WhatsApp Android application named ‘YoWhatsApp’ that steals access keys for users’ accounts.
Mod apps are advertised as unofficial versions of legitimate apps that have features that the official one does not supports. YoWhatsApp is a fully working messenger with supports additional features, such as customizing the interface or blocking access to individual chats.
The tainted WhatsApp version asks for the same permissions as the original messenger app, such as access to SMS.
“To use the WhatsApp mod, users need to log in to their account of the legitimate app. However, along with all the new features, users also receive the Triada Trojan. Having infected the victim, attackers download and run malicious payloads on their device, as well as get hold of the keys to their account on the official WhatsApp app.” reported Kaspersky. “Along with the permissions needed for WhatsApp to work properly, this gives them the ability to steal accounts and get money from victims by signing them up for paid subscriptions that they are not even aware of.”
This mod delivers the Triada Trojan, which can drop other malicious payloads, issue paid subscriptions, and even steal WhatsApp accounts. According to Kaspersky, more than 3,600 users have been targeted in the last two months.
The YoWhatsApp Android app was advertised in the official Snaptube app.
The experts also found the malicious app build into the popular Vidmate mobile app, which is designed to save and watch videos from YouTube. Unlike Snaptube, the malicious build was uploaded to the internal store, which is part of Vidmate
Kaspersky researchers reported that YoWhatsApp v18.104.22.168 steals WhatsApp keys, allowing threat actors to take over users’ accounts.
In 2021, Kaspersky spotted another modified version of WhatsApp for Android, which was offering extra features, but that was used to deliver Triada Trojan.
The modified version is called FMWhatsapp 16.80.0.
The experts also discovered the adv for software development kit (SDK) that included the downloader for the malicious payload.
The FMWhatsapp was designed to gather unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) and the name of the app package where they’re deployed.
To stay safe, the researchers recommend:
“Cybercriminals are increasingly using the power of legitimate software to distribute malicious apps. This means that users who choose popular apps and official installation sources, may still fall victim to them. In particular, malware like Triada can steal an IM account, and for example, use it to send unsolicited messages, including malicious spam.” concludes Kaspersky. “The user’s money is also at risk, as the malware can easily set up paid subscriptions for the victim.”
(SecurityAffairs – hacking, YoWhatsApp)