ESET detected that a fake WhatsApp app, WhatsApp Pink, has been updated by its authors to allow it automatically reply to the victim’s Signal, Telegram, WhatsApp Business, Viber, and Skype messages.
WhatsApp Pink first appeared this week and primarily targets WhatsApp users in the Indian subcontinent, as we’ve reported on Monday.
First reported by security researcher Rajshekhar Rajaharia this weekend, the app promises to add a pink theme to WhatsApp but instead infects with a Trojan that takes over an Android device, and can even automatically spread to other devices.
As reported by BleepingComputer, WhatsApp Pink is really a variant of a fake Huawei app that researchers had analyzed earlier this year.
“WhatsApp Pink is an updated version of the WhatsApp auto-reply worm we wrote about in January,” said ESET malware researcher, Lukas Stefanko in a report.
“The Trojan’s updated version doesn’t auto-reply just to WhatsApp messages, but also to messages received on other instant messaging apps, which could be the reason for its apparent wider spread,” ESET researchers wrote.
ESET researchers demonstrated auto-responding capabilities of malware in a video published this week. WhatsApp Pink successfully replied to messages in a variety of apps including Signal, Viber, Telegram, and Skype.
Even though messaging apps like Signal, WhatsApp, and Telegram use end-to-end encryption, it protects communications and messages in transit, but the data at rest can be accessible to the device owner and applications/malware running on the device.
That’s why end-to-end encryption is not protection against a compromise of an end device by malware like WhatsApp Pink.
Malware has features that help it sink under the radars. Once the victim opens WhatsApp Pink for the first time, the app disappears from the home screen, according to ESET’s analysis.
It also has propagation capabilities but other than that, doesn’t do much. Stefanko believes that this update could just be a “test:”
“The victim will then receive a message, to which they will have to reply in order to unwittingly cause it to propagate further… Beyond that, however, the new version – detected by ESET products as Android/Spams.V – doesn’t really do much,” ESET researchers wrote in a blog post.