Security researchers discovered a modified WhatsApp build, YoWhatsApp version 2.22.11.75 which hides a malicious module detected as Trojan.AndroidOS.Triada.eq (Triada trojan).
YoWhatsApp Hides a Malicious Module
According to Kaspersky’s Secure List, the module decrypted and launched the trojan’s main payload.
The malicious module is capable of stealing various keys required for legitimate WhatsApp versions to work. The researchers believe that “to resolve this problem, the cybercriminals had to figure out all the intricacies of the messenger before writing the new version.”
How is this possible? The said keys are usually used in open-source utilities allowing the use of a WhatsApp account without the app itself. In case the keys are stolen, a user of a malicious modification of the app can lose control over the account, the report explained.
It should be noted that the malicious YoWhatsApp build is “a fully working messenger” with additional features. Upon installation, the app asks for the same permissions as the original messenger, and these permissions are granted to the Triada trojan. These permissions are used to add paid subscriptions without the user’s knowledge, among other malicious activities.
The researchers also discovered another malicious version of YoWhatsApp (WhatsApp Plus) in the Vidmate mobile app. This malicious build was uploaded in the internal store, part of Vidmate.
What is the purpose of such malicious campaigns?
“Cybercriminals are increasingly using the power of legitimate software to distribute malicious apps,” the researchers said. In other words, even mobile users who only download apps from official sources can still be affected. Malware such as Triada can then be used to send unsolicited messages, including malspam. Financial loss is also possible due to the malware’s capability to set up paid subscriptions for the affected user.
It is noteworthy that in 2017, Dr Web researchers discovered that the Triada trojan came pre-installed on Android devices allowing attackers to download and run more malware on users’ phones. The trojan was detected on several Chinese Android mobile phones such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.