Threat researchers at Kaspersky have warned of the risks associated with downloading third-party add-ons for other services, after uncovering a malicious version of a popular WhatsApp messenger mod known as YoWhatsApp.
YoWhatsApp offers a number of features that are not available in WhatsApp, such as the ability to block calls from contacts or unsaved numbers, bulk messaging, new privacy features, additional language options, the ability to set background images or wallpapers, and additional themes and emojis, among many other things.
However, the version found by Kaspersky is in fact being used to spread the Triada mobile Trojan, which is capable of downloading other Trojans, signing its victims up for unwanted paid subscriptions and even stealing WhatsApp accounts.
This is not the first time Triada has been found piggybacking on WhatsApp mods – Kaspersky previously reported on a similar issue in August 2021 – but in this instance the tainted version of YoWhatsApp is also being advertised on other services, including Snaptube, a video downloader for YouTube and other services.
It is also being distributed via an unofficial Android app store contained in the VidMate video downloader, where it is going by the name of WhatsApp Plus.
Kaspersky said such tactics were likely intended to make the malware seem less immediately suspicious to its victims, of whom there are already more than 3,600 at the time of writing.
Kaspersky security researcher Anton Kivva said: “Advertising in legitimate applications is a very cunning way for criminals to spread malicious applications, as many users believe that, if the application they are using is safe, any advertising on it does not carry any risks either.
“However, as we can see, this is not always the case, so we recommend that users download applications only from official app stores,” he said. “They will not always carry the same large number of custom features, but they will definitely be much safer for you, reducing the possibility of losing your account or reducing your money to a minimum.”
ESET global cyber security advisor Jake Moore said: “Fake apps have appeared on app stores for years, but it is interesting to see a duplicate app that entices people with extra features that may persuade users to favour this one.
“However, by using this unofficial app, it may harm users’ genuine accounts or even hand over the access to their accounts to fraudsters,” he said. “Account takeover and sensitive or personal data loss are a big worry as they lead to further targeted attacks. With this added faux authenticity, people are more easily socially engineered into handing over personal financial information or even begin sophisticated cyber attacks on businesses.
“Avoiding alternative apps such as this is highly recommended, but younger people who may be targeted with downloading these apps may be unaware of the dangers,” said Moore. “Even worse is when they do not care of the risks, so awareness advice needs to be carefully delivered via peers and the platforms they frequent.”
