Using a modified WhatsApp application or WhatsApp mod does have its own security risks. Like the case of one of the most popular WhatsApp mods, FMWhatsApp, which is known to spread malicious malware.
WhatsApp mods such as FMWhatsApp, YoWhatsApp, and others are indeed popular because they can provide features that are not in the official WhatsApp application. FMWhatsApp itself promises additional features such as better privacy, changing application themes, more emoji choices, and others.
Researchers from Kaspersky found FMWhatsApp version 16.80.0 will infect Android phones with the Triada trojan with the help of an advertising software development kit (SDK). This trojan can then spread additional malware to already infected devices, including malware that displays annoying ads, to register users with paid subscription services.
Once installed, the Triada trojan will start collecting device information and send it to the command and control server, which will then send a link containing an additional payload that the Trojan will download and launch on the compromised device. 2021).
According to Kaspersky's report, the Triada trojan will download and launch several additional types of malware on the device, including:
- Trojan-Downloader.AndroidOS.Agent.ic, which downloads and launches other malicious modules.
- Trojan-Downloader.AndroidOS.Gapac.e, which installs other malicious modules and displays full-screen ads.
- Trojan-Downloader.AndroidOS.Helper.a, which installs the xHelper Trojan installer module and runs invisible ads in the background.
- Trojan.AndroidOS.MobOk.i, which registers device owners to a paid subscription service.
- Trojan.AndroidOS.Subscriber.I, which also registers victims to a premium subscription program.
- Trojan.AndroidOS.Whatreg.b, which collects user information and asks for a verification code to log into the victim's WhatsApp account.
Some of the malware that FMWhatsApp can potentially spread may only be annoying, but some are dangerous. For example, the xHelper malware carried by the Triada trojan is known to be very difficult to remove and can re-infect an Android device only hours after it has been removed or after the device has been reset.
In addition, the malware also allows attackers to hijack and take over a user's WhatsApp account to carry out social engineering attacks or spread spam, which will then continue to spread the malware to other devices.
"With this app, it's difficult for users to identify potential threats because the mod app really delivers what it promises -- it delivers additional features. However, we're seeing how cybercriminals are starting to spread malicious files via ad blocks in apps," the researcher said. Kaspersky Igor Golovin.
"This is why we recommend you to use messenger software downloaded via official app stores. Those apps may lack some extra functionality, but they won't install a lot of malware on your phone," he continued.