Mexico, Brazil, Russia and Indonesia among the most affected countries
Kaspersky researchers have discovered a new malicious version of WhatsApp mod called YoWhatsApp, which has become popular for having functions that the official application does not offer. However, the goal of this modification is to spread the Triada mobile Trojan, which is capable of installing other Trojans, issuing paid subscriptions, and even stealing WhatsApp accounts. This new malicious mod is advertised on the popular Snaptube app and is also distributed through Vidmate, which makes the mod appear legitimate and widens the number of possible victims.
Although WhatsApp is one of the most popular messaging applications with millions of users around the world, not everyone is satisfied with the features it offers. Therefore, some users choose to download modifications that provide more options, such as wallpapers and fonts for personalized chats, messages in groups, or the possibility of protecting certain conversations with passwords.
However, these modifications are not always safe. A year ago, Kaspersky discovered another modification WhatsApp, which also spreads the dangerous Triada mobile Trojan. The YoWhatsApp discovery confirms that scammers continue to take advantage of users by creating new malicious modifications. More than 3,600 users have faced this threat in the last two months, with Russia, Brazil, Mexico and Indonesia being the most affected countries.
To infect as many users as possible, cybercriminals have resorted to a new distribution strategy. Now they announce YoWhatsApp update on Snaptube, the popular Android app used to download videos from YouTube, Facebook and Instagram. Since it is used by hundreds of thousands of users all over the world, many of them do not know that this modification could be dangerous. The developers of Snaptube are probably also unaware that the attackers take advantage of the legitimate advertising mechanism in their app.
YoWhatsApp is also distributed through Vidmate, which in addition to being used to download YouTube videos, contains an unofficial Android app store. Here, the attackers publish a malicious version of YoWhatsApp called “Whatsapp Plus”. Since Vidmate is not an official app store, the probability of malicious apps being distributed there is very high, and the appearance of Whatsapp Plus, which infects users with the Trida Trojan, is an example of this.
To use the mod, users need to log in to their official app account. However, along with all the new features, users also receive the Triada Trojan. After infecting the victim, the attackers download and execute malicious payloads on their device, in addition to obtaining their WhatsApp account keys. This gives them the necessary permissions for the app to function properly, as well as the ability to hijack accounts and extort money from victims by signing them up for paid subscriptions that they are not even aware of.
“Advertising on legitimate platforms is a very cunning way for criminals to spread malicious apps, as many users believe that if the app they are using is safe, any advertising on it will be safe too. However, as we can see, this is not always the case, so we recommend that users only download apps from official stores. They won’t always have the same wealth of custom features, but they will definitely be a lot safer for them, reducing the chance of losing their account or money.” comment Anton Kivva, Kaspersky Security Researcher.
Kaspersky solutions detect the malicious implant as: Trojan.AndroidOS.Triada.eq and Trojan-Dropper.AndroidOS.Triada.bd.
To stay safe, Kaspersky recommends:
- Only install apps from trusted official stores.
- Check the permissions granted to installed applications; some of them can be very dangerous.
- Install on your smartphone a reliable mobile antivirus, such as Kaspersky Internet Security for Android, which will detect and prevent potential threats.
Learn more about the Triada Trojan in the full report from secure list.