Kaspersky Lab experts have discovered a new version of the unofficial WhatsApp application for Android, which bears the name YoWhatsApp and steals access keys to user accounts.
The researchers say it all started last year when they were studying the Triada Trojan found inside FMWhatsApp (one of the modified builds of WhatsApp). At the same time, experts revealed that along with the advertising SDK, a dropper got inside the distribution kit.
This year the situation repeated itself, only with another modified build of the messenger – YoWhatsApp version 2.22.11.75. Inside it was a malicious module, which was assigned the Trojan.AndroidOS.Triada.eq indicator.
This module decrypted and launched on the device the Trojan.AndroidOS.Triada.ef payload already familiar to researchers, and also stole various keys necessary for the operation of legitimate WhatsApp. The researchers believe that in order to solve this problem, the attackers had to understand all the intricacies of the messenger before writing the new version.
The key stolen by attackers is usually used in open source utilities that allow you to use your WhatsApp account without having to download the application. Leaking keys can lead to the fact that the user of the malicious modification of WhatsApp loses control over his account.
It should be noted that YoWhatsApp is a fully functional app that uses the same permissions as the official WhatsApp app and is promoted through ads on popular Android apps like Snaptube and Vidmate. At the same time, YoWhatsApp has additional features, including the ability to customize the interface or block access to individual chats, which makes it very attractive to users. In this case, the Triada trojan also gets the same rights, and with their help it can, for example, issue paid subscriptions to the user without his knowledge.
Kaspersky Lab announces that it has already informed Snaptube developers about om that hackers advertise malicious applications through their platform, so this malware distribution channel should already be closed.