Skip to main content

Kaspersky finds new malicious WhatsApp mod advertised in the popular Snaptube app

October 12, 2022

Woburn, MA – October 12, 2022 — Kaspersky researchers discovered a new malicious version of a popular WhatsApp messenger mod dubbed YoWhatsApp. Popular for having features that the official app does not offer, this mod spreads the notorious Triada mobile Trojan that can download other Trojans, issue paid subscriptions, and even steal WhatsApp accounts. More than 3,600 users have faced this threat in the last two months. This new malicious mod is advertised in the popular Snaptube app and is also distributed via Vidmate. This makes the mod look much less suspicious to potential targets, and expands the possible number of victims.

WhatsApp is one of the most popular messengers, used by millions of users worldwide, but not all of them are satisfied with the features offered by the legitimate application. Thus, some users prefer to download WhatsApp mods that provide far more options, such as custom backgrounds and fonts for chats, bulk messaging, or password-protected login to certain conversations.

However, such mods are not always secure. Previously, Kaspersky had already discovered another modification of WhatsApp, which also spreads the dangerous Triada mobile Trojan.  And now, researchers have witnessed that fraudsters continue to take advantage of the popularity of the globally recognized messenger by creating new malicious modifications, such as some versions of so-called YoWhatsApp.

To infect as many users as possible, cybercriminals have resorted to a new distribution scheme. They now advertise the malicious YoWhatsApp mod in the popular Android app Snaptube, which is used to download videos from YouTube, Facebook, and Instagram. Since YoWhatsApp is being advertised in the Snaptube app used by hundreds of thousands of users around the world, many of them are not even aware that this modification could be dangerous. Most likely, even Snaptube’s developers were not aware that the attackers have decided to take advantage of legitimate advertisement mechanism in their app.

YoWhatsApp is also being distributed via the Vidmate app. In addition to being used for downloading YouTube videos, this app contains an unofficial Android app store. Here, attackers published a malicious version of YoWhatsApp called “Whatsapp Plus”. Since Vidmate is not an official app store, the likelihood of malicious apps being distributed there increases several times over and the appearance of Whatsapp plus, which infects users with the Triada Trojan, is an example of this.

To use the WhatsApp mod, users need to log in to their account of the legitimate app. However, along with all the new features, users also receive the Triada Trojan. Having infected the victim, attackers download and run malicious payloads on their device, as well as get hold of the keys to their account on the official WhatsApp app. Along with the permissions needed for WhatsApp to work properly, this gives them the ability to steal accounts and get money from victims by signing them up for paid subscriptions that they are not even aware of.

Advertising in legitimate applications is a very cunning way for criminals to spread malicious applications. Many users believe that if the application they are using is safe, then any advertising on it does not carry any risks either,” commentsAnton Kivva, security researcher at Kaspersky. “However, this is not always the case, so we recommend that users download applications only from official app stores. They will not always carry the same large number of custom features, but they will definitely be much safer for you, reducing the possibility of losing your account or reducing your money to a minimum.”

Kaspersky solutions detected the malicious implant as Trojan.AndroidOS.Triada.eq and Trojan-Dropper.AndroidOS.Triada.bd.

Read more about Triada Trojan in the full report on Securelist.

To stay safe, Kaspersky recommends:

  • Only installing applications from official stores and reliable resources.
  • Remembering to check which permissions you give installed applications as some of them can be very dangerous.
  • Installing a reliable mobile antivirus on your smartphone, such as Kaspersky Internet Security for Android. It will detect and prevent possible threats.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact:

Cassandra Faro

Cassandra.Faro@Kaspersky.com

781-503-1812

Kaspersky finds new malicious WhatsApp mod advertised in the popular Snaptube app

Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases