One of the most used communication apps in the world, WhatsApp brings users several features that include thematic pictures, gifs and voice messages that facilitate conversations and make them more fun. However, there are those who are always looking for new features for the application, and this space has been taken advantage of by malicious mods like FMWhatsApp, recently analyzed by Kaspersky.
The application promises to expand the experience of using the communicator, bringing new emoticon packs, private chats and the possibility of unlocking it using a PIN code, passwords or biometric systems. While traditionally displaying advertisements as a monetization tactic, in the case of FMWhatsApp the developers decided to introduce the Triada Trojan in the devices that install it.
Once the application is opened, the malware registers the device’s unique identifiers (device identity, signature identities and MAC addresses) and sends them to a remote server where they are registered. From this the Trojan is downloaded, able to initiate the transfer of other malicious agents that display advertisements in the background, full screen advertisements and make subscriptions to paid services.
Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Canaltech News. Everyday a summary of the main news from the tech world for you!
“With this app, it’s difficult for the user to identify the potential threat because the app actually does what it proposes — it brings additional features,” explains expert Igor Golovin. “However, we have seen how cybercriminals have started distributing malicious files through the ad blocks of these applications. That’s why we recommend that you only use messengers downloaded from official app stores”, he adds.
Difficult to remove threat
According to Kaspersky, the malware-infected mod was distributed on popular websites dedicated to distributing modified versions of WhatsApp. The security company told Bleeping Computer that similar options are available on the Google Play store, but they don’t contain unsafe content — they usually only display common ads or only provide instructions on how to download and install mods.
The FMWhatsApp case is especially troubling for its ability to download the xHelper Trojan, which is quite difficult to remove. The threat manages to survive by making copies for the participation occupied by the system, also replacing the libc.so library to prevent the user from having full access. The most common way to remove it is to completely reinstall Android on the infected device, but antivirus tools like Malwarebytes are already able to remove it with some ease.
The safest way to protect yourself against suspicious mods is to avoid downloading them from unofficial stores. Although this means having to give up some additional features that are not available on WhatsApp, the security gain gained by avoiding downloads more than makes up for the inability to access them.
Source: Bleeping Computer, Kaspersky
Did you like this article?
Subscribe your email on Canaltech to receive daily updates with the latest news from the world of technology.