Cyber security researchers named YoWhatsApp Whatsapp discovered a new malicious version of the messaging mode. Popular for having features that the official app doesn’t offer, this mod infects devices with the Triada mobile Trojan, which can download other Trojans, start paid subscriptions, or even steal WhatsApp accounts.
Users around the world have been affected by this threat in the past two months, with 27% of them in the META region (Middle East, Turkey, Africa). According to the results of Kaspersky researchers, 9% of users affected by this situation are located in Turkey.
ATTACKERS USE ‘YOWHATSAPP’
The malicious mod in question is announced by the popular Snaptube app and distributed via Vidmate. This makes the mod less suspicious to users and increases the number of possible victims.
WhatsApp is one of the most popular messaging programs used by millions of users around the world. However, not all users are satisfied with the features offered by the main application. For this reason, some users prefer to download WhatsApp mods which offer more options, such as using custom backgrounds and fonts in their chats, mass messaging, or password protection of certain conversations.
But such mods, unfortunately, are not always safe. Kaspersky researchers, who previously discovered another mode of WhatsApp that spread the dangerous Triada Mobile Trojan, have now revealed that attackers continue to exploit the popularity of my popular messaging software around the world by implementing new malicious changes to some versions of YoWhatsApp.
ANDROID ADVERTISES THROUGH THE APP
Cybercriminals are implementing a new distribution plan to target as many users as possible. Youtube, Facebook and popular used to download videos from Instagram Android They advertise the malicious YoWhatsApp mod on Snaptube.
Since YoWhatsApp was promoted via the Snaptube app, which is used by hundreds of thousands of users around the world, many are unaware that this mod can be dangerous. It is claimed that even the developers of Snaptube did not realize that the attackers were exploiting the legitimate advertising mechanism in their applications.
MALWARE VERSION: WHATSAPP PLUS
YoWhatsApp is also distributed via the Vidmate app. In addition to being used to download YouTube videos, this app also includes an unofficial Android app store.
Here the attackers are posting the malicious version of YoWhatsApp called “Whatsapp Plus”. Since Vidmate is not an official app store, malicious apps are much more likely to be found.
SUBSCRIBE TO PAID SERVICES
To use the aforementioned WhatsApp mode, users must first log into their app account. However, with the promised new features, users also invite the Triada Trojan on their devices.
After infecting the victim, the attackers download and run malicious payloads on their devices and acquire the account keys in the official WhatsApp application. This gives them the opportunity to hack accounts and subscribe to paid services without their victims knowing.
WHAT TO ATTENTION?
Kaspersky security researcher Anton Kivva warned:
“Advertising on legitimate apps is a cunning way for criminals to spread malicious apps. Because many users believe that if the application they use is safe, the ad placed on it does not carry any risk. However, as the last example shows, this is not always the case. That’s why we recommend that users only download apps from official app stores. They may not have many special features. However, it will certainly offer much safer usage by reducing the chance of losing your account or getting your money stolen. And don’t forget to check what permissions you have granted to installed apps, some of these permissions can be very dangerous. “
