Malicious code spreads through a mod in the world’s most popular messenger app

Woburn, MA – August 24, 2021 – Today Kaspersky announced it has discovered a malicious version of a popular WhatsApp messenger modification called FMWhatsapp. This mod spreads the Triada mobile Trojan, which downloads other Trojans and can launch ads, issue subscriptions, and intercept a user’s SMSs.

Even though WhatsApp is one of the most popular apps for instant mobile messaging, not all users are satisfied with its features. Looking for the most user-friendly version, people can be tempted to install modified versions of the app, which provide many more options than the official one. These can include things like the ability to choose dynamic templates or to read deleted messages.

In such apps, creators often publish ads to monetize their work. Fraudsters can take advantage of this, often distributing malicious code through advertising. One example of this is FMWhatsapp – the 16.80.0 version – which includes the Triada Trojan and one of the ad libraries.

In the dangerous version of the FMWhatsapp mod, the Triada Trojan acts as a mediator. First, it collects data about the user's mobile device and then, at the owner’s command, downloads one of the other Trojans to the smartphone. These Trojans can independently launch ads, issue paid subscriptions to the device owner and even log into the WhatsApp account, intercepting the SMS to confirm login, leaving the victim vulnerable to illegal activity through their phone.

Downloaded by Triada, the MobOk Trojan opens a subscription page in an invisible window and clicks the ‘Subscribe’ button for the user

“With this app, it is hard for users to recognize the potential threat because the mod application actually does what is proposed – it adds additional features,” said Igor Golovin, security expert at Kaspersky. “However, we have observed how cybercriminals have started to spread malicious files through the ad blocks in such apps. That is why we recommend you only use messenger software downloaded from official app stores. They may lack some additional functions, but they will not install a bunch of malware on your smartphone.”

Kaspersky solutions detected the malicious implant as Trojan.AndroidOS.Triada.ef. 

Learn more about the Triada Trojan in FMWhatsapp mod on Securelist.

To stay safe, Kaspersky experts also recommend:

• Only installing applications from official stores and reliable resources
•  Remembering to check which permissions you give installed applications – some of them can be very dangerous
• Installing a reliable mobile antivirus on your smartphone, such as Kaspersky Internet Security for Android. It will detect and prevent possible threats.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.   

Media Contact

Sawyer Van Horn

sawyer.vanhorn@Kaspersky.com

(781) 503-1866