A modified version of the WhatsApp messaging app for Android has been trojanized to intercept text messages, serve malicious payloads, display full-screen ads, and register device owners for unwanted premium subscriptions without their knowledge.
“The Triada Trojan snuck into one of these modified versions of the messenger called FMWhatsApp 16.80.0 along with the adware development kit (SDK),” researchers at Russian cybersecurity firm Kaspersky said in a whitepaper published Tuesday. “This is similar to what happened with APKPure, where the only malicious code that was embedded in the application was a payload downloader.”
Modified versions of legitimate Android apps, a practice called Modding, are designed to perform functions that app developers didn’t originally envision or intended. FMWhatsApp, billed as a custom version of WhatsApp, allows users to reshape the app with different themes, customize icons and hide features like last seen views, and even disable video calling features. The application is only available through third party websites.
The manipulated variant of the application detected by Kaspersky comes equipped with capabilities to collect unique device identifiers, which are sent to a remote server that responds with a link to a payload that is subsequently downloaded, decrypted, and launched by the Triada Trojan.
The payload, meanwhile, can be used to carry out a wide range of malicious activities, ranging from downloading add-on modules and displaying full-screen ads to stealthily subscribing victims to premium services and logging into WhatsApp accounts on the device. Worse still, attackers can hijack and take control of WhatsApp accounts to carry out social engineering attacks or distribute spam messages, thus spreading the malware to other devices.
“It is worth noting that FMWhatsapp users grant the application permission to read their SMS messages, which means that the Trojan and all the additional malicious modules it loads also gain access to them,” the researchers said. “This allows attackers to automatically enroll the victim in premium subscriptions, even if a confirmation code is required to complete the process.”
Author: Ravie Lakshmanan.