Malware is increasingly being disguised in fake Android apps

Aug 24, 2021 16:43 GMT  ·  By

A customized version of the WhatsApp Messaging App for Android has been found to display full-screen advertising, register device users for unwanted premium subscriptions without their agreement and deliver dangerous payloads, says The Hacker News

Generally speaking, modifications of legitimate Android apps are launched to perform functions that were not originally intended. For instance, you can customize icons, disable video calls, add themes or hide features like Recently Seen with FMWhatsApp. Then again, not all mods are launched with good intentions and this is another case of why you should be wary of too-good-to-be-true free services.

The FMWhatsApp version discovered by Kaspersky is able to collect unique device identifiers that are sent to a remote server which proceeds to downloading, decrypting, and executing the Triada Trojan. The Trojan can perform a wide variety of actions, including installing new modules to grab additional malware. The irritating part is that it signs you up for various premium subscriptions. Even though a confirmation code is needed to finish the transaction, it solely allows the attackers to sign up for premium memberships on their own.

The malware is capable of a variety of destructive operations

Take note that attackers can take over WhatsApp accounts to launch social engineering attempts or send spam messages to spread the Trojan to more devices. Since FMWhatsapp explicitly asks users for permission to read SMS messages, it means that users are agreeing to allow the Trojan and any other malicious modules to access their communications.

Kaspersky notes in a write-up "The Trojan Triada snuck into one of these modified versions of the messenger called FMWhatsApp 16.80.0 together with the advertising software development kit (SDK)" [...] "This is similar to what happened with APKPure, where the only malicious code that was embedded in the app was a payload downloader".