A modified version of WhatsApp for Android has been discovered and used to distribute harmful payloads and display full-screen ads. The app was also used to sign up device owners for unwanted subscriptions.
Users who downloaded the modified app, unwittingly also installed Trojan Triada and an advertising software development kit (SDK).
“The Trojan Triada snuck into one of these modified versions of the messenger called FMWhatsApp 16.80.0 together with the advertising software development kit (SDK),” researchers from Russian cybersecurity firm Kaspersky said in a report published Tuesday. “This is similar to what happened with APKPure, where the only malicious code that was embedded in the app was a payload downloader.”
The app has been modified by a hacker in a process known as “modding,” which is a technique when users modify an app without the original developers’ approval.
A variant of the Android app detected by Kaspersky has capabilities to gather unique device identifiers, which are exfiltrated to the hacker’s server and can be used to download further malicious payloads.
The payload can also carry out various malicious activities, such as stealing sensitive information from the victims, downloading additional modules, and displaying full-screen ads that subscribe the victims to premium services.
Even worse, the attackers can take over WhatsApp accounts to perform social engineering attacks and distribute the malware via spam messages sent to other users.
“It’s worth highlighting that FMWhatsapp users grant the app permission to read their SMS messages, which means that the Trojan and all the further malicious modules it loads also gain access to them,” the researchers said. “This allows attackers to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process.”