The Kaspersky Lab has recently discovered the Trojan Triada, in one of the versions of the mod for the WhatsApp messenger – FMWhatsapp16.80.0. This malware can easily download and operate other malicious modules, exhibit ads, and subscribe.
However, in this version, the threat actors have configured the download of a malicious request by an application which generally increases the functionality of the messenger.
After investigating the whole matter the analyst asserted that the user clicked on the advertising emblem of the malicious application, and soon after that the malicious application opens up the additional functionality and simply downloads a Trojan program in the device of the user.
How Triada Operates?
The security experts of the Kaspersky Lab have started a specific investigation to know all the key details of this malware. However, they stated that how Triada operates is all planned operations, well initially the app needs to get launch, once it has done it starts with its job.
After the app gets launched, the malware immediately gathers all the unique device identifiers such as Device IDs, Subscriber IDs, MAC addresses, as well as the name of the app set where they’re being extended.
According to the report, all the data that were being collected by the threat actors is sent to a remote server as all these data will help to register the device. After the registration, a link arrives in a payload and later it downloads the Trojan to the device.
By analyzing the statistics on files downloaded by FMWhatsapp, we identified a number of different types of malware:
- Trojan-Downloader.AndroidOS.Agent.ic downloads and launches other malicious modules.
- Trojan-Downloader.AndroidOS.Gapac.e also downloads and launches other malicious modules. Apart from that, it displays full-screen ads when users least expect them to pop up.
- Trojan-Downloader.AndroidOS.Helper.a downloads and launches the xHelper Trojan installer module. It also runs invisible ads in the background to increase the number of views they get.
- Trojan.AndroidOS.MobOk.i signs the device owner up for paid subscriptions.
Why use WhatsApp mods?
After knowing about how this malware operates its task, now the question arises here that why it uses WhatsApp mods? We all know that every user has their own preference, and that’s why there might be users who are not happy with all the functionality that WhatsApp provides.
There are many users who desire to feature self-destructing messages or, conversely, the facility to view messages that were deleted by another user.
Apart from this many users desire dynamic themes, and still, others aspire to hide specific chats from the general list or automatically alter messages.
That’s why many users try to modify their WhatsApp and the clients go for solutions that are available online, that are diverse, and are not hard to find.
But in the WhatsApp mods there are various ads that are embedded in them, while at the same time, it also has some problems, such as the threat actors take the opportunity from such third-party ads and sneak into users’ devices.
Defend against such attacks
After investigating the malware attack, the security experts of Kaspersky Lab has suggested some pints that will help the users to defend themselves from this kind of attack, that’s why we have mentioned them below:-
- Users should not install apps from unauthorized sources and always use the device’s settings to deny permission to install them.
- Always prefer official messaging apps, and download them from official app stores, as they might lack few features but it will surely not hamper your device.
- Remember to read and check what permissions you’ve conferred to installed apps — some might profess a real threat.
- Lastly, install a strong mobile antivirus app on your device, and notice its warnings.
Till now Kaspersky Lab solutions registered more than 33 thousand attacks that are associated with WhatsApp, and the experts have mentioned that every user must follow the points that are mentioned above.