A trojanized version of WhatsApp for Android was used to deliver harmful payloads, display full-screen advertising, and sign users up for unwanted premium subscriptions without their consent. The Trojan Triada snuck into one of the modified versions of the messenger titled “FMWhatsApp 16.80.0”, according to Kaspersky researchers, along with the advertising software development kit (SDK).
It’s similar to what happened with APKPure, where the only harmful code was a payload downloader embedded in the application.
Modified versions of legitimate Android apps, often known as modding, are meant to fulfil features that the app developers did not intend. FMWhatsApp offers users to personalize the app with numerous themes, modify icons, hide features such as last seen, and even turn off video calling.
What is Triada Trojan?
Kaspersky says, “Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and exists mostly in the device’s RAM, which makes it extremely hard to detect.”
This altered version of the WhatsApp app has the ability to collect unique device identifiers, which it sends to a remote server, which responds with a link to a payload, which the Triada trojan then downloads, decrypts, and runs.
The payload can be used to carry out a variety of malicious tasks, including installing new modules and displaying full-screen ads, as well as secretly subscribing victims to premium services and signing into their WhatsApp accounts. Threat actors can take over WhatsApp accounts and use them to carry out social engineering attacks or send spam messages, spreading malware to other devices.
According to the researchers, FMWhatsapp users give the app permission to read their SMS messages, which gives the Trojan and all the other harmful modules it loads access to them as well. This makes it easier for threat actors to register the victim up for premium subscriptions automatically, even if a confirmation code is necessary to finish the procedure.
You might also like:
A decade old flaw still exists in iOS 15 beta
Beware of fake cryptocurrency mining apps
Cinobi Banking Trojan used to target crypto users with malvertisments
FlyTrap Android malware attacks several Facebook accounts