Researchers uncovered a new modified version of WhatsApp called called “FMWhatsapp” that comes with an advertising software development kit and drops a Triada Trojan to spy on your devices and steal the SMS data.
WhatsApp users are always curious about the new features since the original version has lacking with some expected features such as animated themes, self-destructing messages which automatically delete themselves, view messages that have been deleted by the sender, and so on.
This is a huge advance for the threat actors to release the modified version of WhatsApp with some extra features along with ads and displayed to the victims via different banners.
The uncovered modified version “FMWhatsapp” comes with the malicious code embedded within the app and the code employed as a payload downloader.
Experts from Kaspersky, The modified version seeking permission from the victims grant the app permission to read their SMS message, also other malicious modules loads also gain access to them.
Triada Trojan Infection Process
Once the victims downloaded and launched the app, the malware starts gathering device information such as MAC addresses, subscribers ID’s, Devices IDs and sends the details to the removed server and registers the device.
Diving deep into the App, researchers uncovered that the FMWhatsapp drops the different types of malware of the following:-
- Trojan-Downloader.AndroidOS.Agent.ic – downloads and launches other malicious modules.
- Trojan-Downloader.AndroidOS.Gapac.e – downloads and launches other malicious modules. Apart from that, it displays full-screen ads when users least expect them to pop up.
- Trojan-Downloader.AndroidOS.Helper.a – downloads and launches the xHelper Trojan installer module. It also runs invisible ads in the background to increase the number of views they get.
- Trojan.AndroidOS.MobOk.i – signs the device owner up for paid subscriptions.
- Trojan.AndroidOS.Subscriber.l – Signup victims for premium subcription.
- Trojan.AndroidOS.Whatreg.b – Sign the victims whatsapp account and gathering the information such as device and mobile operator and send those details to C2 server.
Most important activities that performed by the FMWhatsApp is to read their SMS messages, automatic sign to premium subscription.