Mobile Triada trojan targets modified WhatsApp messenger users

Trojan lands on machines when the free app version gets downloaded from a random advertising site

Triada trojan spreads to mobile devicesFMWhatsApp embedded with the malware that tracks information and intercepts texts

Researchers from Russian cybersecurity firm Kaspersky discovered[1] that a modified version of the WhatsApp messaging app for Android has been trojanized. Malware is used to intercept text messages, serve malicious payloads, display full-screen ads, and sign up device owners for unwanted premium subscriptions without their knowledge.

The Trojan Trianda impacted a modified version of the messenger app called FMWhatsApp 16.80.0 together with the advertising software development kit (SDK). The FMWhatsApp 16.80.0 app is only available via unofficial third-party app stores and is one of many popular WhatsApp mods that allow users to add functionality to Facebook’s WhatsApp messenger.

Researchers warn that this latest version of Triada acts as a payload downloader, injecting up to six additional trojan applications onto Android phones that can do a number of malicious actions – from commandeering a handset silently to full-screen popup ads. These can be considered campaigns of the WhatsApp virus.[2]

The modified app can gather unique device identifiers, which are sent to a remote server that responds back with a link to a payload that's subsequently downloaded, decrypted, and launched by the Triada trojan. The payload could carry out a wide range of malicious activities.[3]

More danger could arise if attackers would hijack and take control of the WhatsApp accounts. In this way, they could carry out social engineering attacks or distribute spam messages, thus propagating the malware to other devices. Everything would be done in the user's name.

Malware could gain access to private messages

Kaspersky researchers add that gaining access to WhatsApp accounts is all danger that users could face. As FMWhatsapp users grant the app permission to read their messages, Trojan and all the further malicious modules will have that possibility as well.

Experts state that threat actors spread malicious files through the adblocks in such unverified apps. Therefore, it is safer to use only apps and software downloaded from official app stores.[4] Otherwise, malware and possible security threats shouldn't come as a shock.

A third-party app, an application made by someone other than the manufacturer of a mobile device or its operating system almost always presents a certain amount of danger. Personal data could be copied and shared with other parties, deleting an app could become difficult or impossible, and its behavior could change without notification.[5]

Users should think ahead before giving an app access to an account. It's important to understand the permissions it requests and what it does with the data it can access. However, as we see, later modifications and involvement of threat actors could cause additional dangers.

Triada is systematically evolving and becoming more threatening

Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and exists mostly in the device’s RAM, which makes it extremely hard to detect. Once downloaded and installed, the Triada Trojan tries to collect information about the system, like the device model, the OS version, the amount of the SD card space.[6]

The best way to keep your devices safe is to constantly update the system as Trojan faces more problems gaining access to newer Android versions. Anti-virus solutions should be installed on personal devices too as it helps to detect dangerous Triada modules.

Finally, there is always a good idea to stay smart and be proactive. Users should avoid obscure programs and apps and only download from the official app store. With these safety measures, anti-virus programs and keep-up with personal devices, malware, or any threatening activity could detect facts and be taken care of safely.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions