Kaspersky has warned of a malicious version of a popular WhatsApp mod that is infecting mobile devices and attempting to steal information or download other Trojans. The original YoWhatsApp mod adds additional features to WhatsApp, including the ability to turn off read receipts, animated emojis, and more. However the modified version has been bundled with the Triada mobile Trojan, which subsequently infects a user’s device after installation and attempts to run other malicious activity such a signing up for paid subscriptions or downloading WhatsApp account information. According to Kaspersky, around 27% of affected users globally were in the META (Middle East, Turkey, Africa) region. Within the META region, 64% of users affected were from the Middle Eastern countries.
The spread of this modified app has been done primarily through advertisements in other apps, namely the Snaptube app which lets users download videos from YouTube and other social media platforms. Users unaware that they’re being served an ad for a malicious app simply click and download it, thus infecting their devices. Another distribution method has been through the Vidmate app, which in addition to offering video download services, also features an unofficial Android app store where the malicious app was being hosted.
“Advertising in legitimate applications is a very cunning way for criminals to spread malicious applications, as many users believe that, if the application they are using is safe, then any advertising on it does not carry any risks either. However, as we can see, this is not always the case, so we recommend that users download applications only from official app stores. They will not always carry the same large number of custom features, but they will definitely be much safer for you, reducing the possibility of losing your account or reducing your money to a minimum,” comments Anton Kivva, security researcher at Kaspersky.
Once the app has been downloaded to a device, users must activate it using their WhatsApp credentials, which then allows the app to have full access to user account information as well as using the SMS function to sign up for paid subscriptions. It is always recommended to install apps only from genuine app stores, to avoid malicious programs being secretly installed or information being compromised.