A modified version of the WhatsApp for Android has been trojanized to serve malicious payloads, display full-screen ads, and sign up device owners for unwanted premium subscriptions without their knowledge.
According to researchers from Kaspersky, the Trojan Triada snuck into one of the modified versions of the messenger called FMWhatsApp 16.80.0 together with the advertising software development kit (SDK).
It is similar to what happened with APKPure, where the only malicious code that was embedded in the app was a payload downloader.
Modified versions of legitimate Android apps aka Modding are designed to perform functions not originally intended by the app developers. FMWhatsApp allows users to customize the app with different themes, personalize icons, and hide features like last seen, and even deactivate video calling features.
The tampered variant of the app comes equipped with capabilities to gather unique device identifiers, which is sent to a remote server that responds back with a link to a payload that’s subsequently downloaded, decrypted, and launched by the Triada trojan.
The payload can be employed to perform a wide range of malicious activities ranging from downloading additional modules and displaying full-screen ads to stealthily subscribing the victims to premium services and signing into WhatsApp accounts on the device. The threat actors can hijack and take control of the WhatsApp accounts to conduct social engineering attacks or distribute spam messages, thus propagating the malware to other devices.
The researchers stated that FMWhatsapp users give the app permission to read their SMS messages, which means that the Trojan and all the further malicious modules it loads also gain access to them. This becomes easier for the threat actors to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process.