Unofficial WhatsApp Android app spreading malware and stealing accounts

Android applications were caught infecting machines while posing as unofficial WhatsApp

WhatsApp ads and issuesModified program for Android spreading Triada trojan that steals account access keys

Dangerous mobile trojan discovered to steal accounts and data and infect machines via malicious modified WhatsApp Android program. Users who download the app can end up having their account details stolen and devices infected with other significant threats.[1] reports surfaced with more information on threat actors distributing the data-stealing mobile trojan that uses the spoofed version of the YoWhatsApp. The app is a widely used modified version of the well-known WhatsApp messaging application.[2]

The unofficial application has been observed to deploy the Android trojan known as Triada.[3] The malware has the purpose of stealing various details that allow using WhatsApp accounts without the application. Those keys, when stolen, allow the malicious mod to get access and control over the account. This malicious application is a fully working messaging app and uses the same permissions as the standard WhatsApp program, so it is popular since it is promoted via advertisements on popular Android applications.

The malicious version has other features besides being a copy of the known app. It allows the customization of the interface and blocks access to chats, sending messages to unsaved numbers, and application theming options. All these additions successfully make the installation of it more enticing for users.

Stealing WhatsApp keys allows criminals to control users' accounts

Researchers[4] report that the YoWhatsApp version 2.22.11.75 steals WhatsApp keys and allows threat actors to control accounts. Triada trojan hides inside the modified application that has been built with this malicious function since last year. These apps send stolen access keys to the developer via the remote server.

Those obtained access keys can be used in open-source utilities and enable connection to the actual application client. Then, criminals can control and perform actions as users without actual permission from the person. It is unclear if those access keys have already been stolen and used in any campaigns. However, these account takeovers can be possible and pose major threats.

Threat actors can steal sensitive communications with personal contacts, impersonate users to close connections, and spread the malware further on machines worldwide or directly abuse the sensitive information obtained from those client accounts. Triada trojan can access SMS and other data since the app's permission is granted.

Malvertising and push advertisements promoting mods

These modified applications get promoted via advertisements on Snaptube and Vidmante. These platforms have already been used to spread malvertising campaign content, and researchers have informed the companies about malicious applications that get pushed is the advertising platform. Initially, this YoWhatsApp application was named WhatsApp Plus, and promotional ads included all the additional functions that make people eager to install Android programs.

Staying safe while using WhatsApp might not be that easy. Recently reports surfaced that particular brands are spamming users in India with emotional material.[5] Many of those advertisements can be malicious and even push other modified applications – infections.

These modified applications can promote malicious versions of other software, so downloads from APKs outside the Google Play Store could be triggered. This should be avoided because installations outside the proper App store and official sources can be related to major threats. This is a simple but most important tip.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References
Files
Software
Compare