Kaspersky researchers discovered a new malicious version of YoWhatsApp, a popular WhatsApp messenger mod. Popular for providing features not available in the official app, this mod spreads the infamous Triada mobile Trojan, which can download other Trojans, issue paid subscriptions, and even steal WhatsApp accounts. This threat affected users all over the world in the last two months, with more than a quarter of them, 27%, in the META (Middle East, Turkey, Africa) region. Sixty-four percent of META users affected were from Middle Eastern countries.
This new malicious mod is being promoted in the popular Snaptube app and is also being distributed through Vidmate. This makes the mod appear less suspicious to potential targets and increases the number of victims.
WhatsApp is one of the most popular messengers, with millions of users worldwide, but not all of them are happy with the features provided by the official app. As a result, some users prefer to download WhatsApp mods that provide far more options, such as custom chat backgrounds and fonts, bulk messaging, or password-protected login to specific conversations.
However, such modifications are not always safe. Previously, Kaspersky had discovered another WhatsApp modification that spreads the dangerous Triada mobile Trojan. Researchers have now discovered that fraudsters are continuing to exploit the popularity of the globally recognized messenger by developing new malicious modifications, such as some versions of so-called YoWhatsApp.
Cybercriminals have devised a new distribution strategy in order to infect as many users as possible. The malicious YoWhatsApp mod is now advertised in the popular Android app Snaptube, which is used to download videos from YouTube, Facebook, and Instagram. Because YoWhatsApp is advertised in the Snaptube app, which is used by hundreds of thousands of users worldwide, many of them are unaware that this modification could be dangerous. Most likely, Snaptube’s developers were unaware that the attackers had chosen to exploit a legitimate advertising mechanism in their app.
The ad in popular Snaptube app makes it look like YoWhatsApp carries no risks for users
YoWhatsApp is also being distributed via the Vidmate app. In addition to being used for downloading YouTube videos, this app contains an unofficial Android app store. Here, attackers published a malicious version of YoWhatsApp called “Whatsapp Plus”. Since Vidmate is not an official app store, the likelihood of malicious apps being distributed there increases several times over – and the appearance of Whatsapp plus, which infects users with the Triada Trojan, is an example of this.
The malicious WhatsApp mod, spread via Vidmate app, infects users with Triada Trojan
To use the WhatsApp mod, users must first log in to their official app account. However, in addition to all of the new features, users are also infected with the Triada Trojan. After infecting the victim, attackers download and run malicious payloads on their device, as well as gain access to their official WhatsApp account. Along with the permissions required for WhatsApp to function properly, this allows them to steal accounts and steal money from victims by enrolling them in paid subscriptions that they are unaware of.
“Advertising in legitimate applications is a very cunning way for criminals to spread malicious applications, as many users believe that, if the application they are using is safe, then any advertising on it does not carry any risks either. However, as we can see, this is not always the case, so we recommend that users download applications only from official app stores. They will not always carry the same large number of custom features, but they will definitely be much safer for you, reducing the possibility of losing your account or reducing your money to a minimum,” comments Anton Kivva, security researcher at Kaspersky.
Kaspersky solutions detected the malicious implant as Trojan.AndroidOS.Triada.eq and Trojan-Dropper.AndroidOS.Triada.bd.
Read more about Triada Trojan in the full report on Securelist.
To stay safe, Kaspersky recommends:
