- Unofficial modified versions of WhatsApp circulating on third-party stores carry the ‘Triada’/’xHelper’ malware.
- The app will perform ad-clicking activities, fetch additional payloads, and exfiltrate device ID data to the C2.
- Avoiding app mods and APK downloaded from obscure sources is a good way to prevent such nasty infections.
The popular WhatsApp mod using the name ‘FMWhatsApp’ has been confirmed to be carrying the ‘Triada’/’xHelper’ trojan by researchers at Kaspersky who analyzed the latest version of the APK. This means people who have downloaded and installed the particular app on their smartphones have had their device ID, subscriber ID, and MAC address exfiltrated, and also opened the door to the fetching of other malware onto the infected device. Xhelper is a very persistent malware dropper and ad clicker that is next to impossible to remove from a phone once it nests in one.
The FMWhatsApp mod is a modified version of WhatsApp that offers extra features such as hiding conversations from the list, auto-deleting messages in chats, auto-translating to a target language, and viewing messages that have been deleted by the sender, or even offering the option to use animated themes. Moreover, it has some unique privacy features, increased limits on group participants, an in-built App lock, and more. It’s just a richer spin on the barebones WhatsApp if you prefer, which comes with its own set of risks like the increased likelihood of dealing with a malware infection, for example.
The app hasn’t had problems of this kind before, so it may be that malicious actors compromised some point of the supply chain or the developers’ toolset, or that someone else has forked FMWhatsApp, embedded the xHelper trojan, and then released it on third-party app stores where code review is practically non-existent.
Upon installation on the victim’s device, the laced FMWhatsApp app will ask for permission to read SMS messages, which is an amazing way to steal OTPs and help actors bypass 2FA protection. In the current version, it’s used to subscribe the victims automatically to premium services with the actor’s affiliation code.
Protecting yourself from this threat is as simple as avoiding APK downloads from untrustworthy sources and shady app stores. If you have to use an app like FMWhatsApp, pay close attention to the permission requests and reject those that appear to be risky or seemingly irrelevant to the app’s core functionality. Finally, use a mobile security solution that will stay alert when malicious apps like this one attempt to perform tricks under the hood, and alert you of the fact.