Kaspersky researchers have discovered a new malicious version of the popular WhatsApp messaging mod called YoWhatsApp. Popular for the features that the official app does not provide, this mod infects devices with the Triada mobile Trojan, which can download other Trojans, launch paid subscriptions, or even steal WhatsApp accounts. Users around the world have been affected by this threat in the past two months, including 27 in the META region (Middle East, Turkey, Africa). 9 of the affected users were from Turkey.

The malicious mod in question is announced by the popular Snaptube app and distributed via Vidmate. This makes the mod less suspicious to users and increases the number of possible victims.

WhatsApp is one of the most popular messaging programs used by millions of users worldwide. However, not all users are satisfied with the features of the main application. For this reason, some users prefer to download WhatsApp mods that offer more options such as using custom backgrounds and fonts in their chats, mass messaging, or protecting certain conversations with a password.

But such mods are unfortunately not always safe. Previously, Kaspersky distributed WhatsApp’s dangerous Triada Mobile Trojan. another mode had discovered. Researchers are now witnessing attackers making new malicious changes to some versions of YoWhatsApp, and continue to capitalize on the popularity of my popular messaging software around the world.

Cyber ​​criminals are implementing a new distribution plan to impress as many users as possible by promoting the malicious YoWhatsApp mod on Snaptube, the popular Android app used to download videos from YouTube, Facebook and Instagram. Since YoWhatsApp was promoted through Snaptube app, which is used by hundreds of thousands of users around the world, many do not know that this mod can be dangerous. Most likely, even the developers of Snaptube did not realize that the attackers were abusing the legitimate advertising mechanism in their app.

YoWhatsApp is also distributed through the Vidmate app. This app is not only used to download YouTube videos but also includes an unofficial Android app store. This is where the attackers place the malicious version of YoWhatsApp called “Whatsapp Plus”. Since Vidmate is not an official app store, malicious apps are much more likely to be found. Whatsapp Plus, which connects users to the Triada Trojan, is a good example of this.

To use the said WhatsApp mode, users must first login to their app account. However, with the promised new features, users are also inviting the Triada Trojan to their devices. After infecting the victim, attackers download and execute malicious payloads on their devices and capture account keys in the official WhatsApp application. This gives them the ability to hack into accounts and subscribe to paid services without their victims knowing.

Kaspersky Security Researcher Anton Kiwvacsay: “Advertising on legitimate apps is a cunning way for criminals to spread malicious apps. Because many users think that if the application they are using is safe, then the advertisement published on it does not carry any risk. However, as the last example shows, this is not always the case. Therefore, we recommend that users only download apps from official app stores. They may not have many special features. However, it will certainly provide a much safer use by reducing the chances of losing your account or having your money stolen.”

Kaspersky solutions detect the malicious implant named Trojan.AndroidOS.Triada.eq and Trojan-Dropper.AndroidOS.Triada.bd.

You can learn more about the Triada Trojan in the Securelist report.

For users who want to stay safe, Kaspersky recommends the following:

• Only install apps from official stores and trusted sources.
• Don’t forget to check what permissions you have granted to installed apps – some of these permissions can be very dangerous.
• Install a reliable mobile antivirus solution such as Kaspersky Internet Security for Android on your smartphone. Detects and prevents potential threats.

Source: (BYZHA) – Beyaz News Agency