According to cybersecurity firm Kaspersky, the Trojan Triada is snuck into one of the modified versions of WhatsApp known as FMWhatsApp version 16.80.0 along with the advertising software development kit (SDK). While FMWhatsApp was supposed to be a custom build of WhatsApp, which allows users to tweak the app with different personalize icons; and comes with features not available in the original app, such as deactivating of video calling features.
The trojanized FMWhatsApp is fully capable of intercepting text messages, display full-screen ads, and serve malicious payloads, even signing up device owners for unwanted premium subscriptions without their consent.
How the Trojanized FMWhatsApp was spotted Installing Triada Trojan?
Researchers at Kaspersky discovered that the trojanized FMWhatsApp comes with such capabilities as ability to gather unique device identifiers, which it sends to a remote server for a link to a payload that's downloaded, decrypted, and launched by the Triada trojan.
The Triada Trojan performs an intermediary function, firstly it collects data about the device, and then, based on the information gathered, it downloads another Trojan. FMWhatsApp downloads several types of the Triada malware, including:
- Trojan.AndroidOS.MobOk.i, a Trojan that signs up for paid subscriptions
- Trojan-Downloader.AndroidOS.Helper.a, which downloads and runs the installer module of the xHelper Trojan and runs invisible ads in the background
- Trojan-Downloader.AndroidOS.Gapac.e, which downloads and runs other malicious modules and can also display full-screen ads at unexpected moments
- Trojan-Downloader.AndroidOS.Agent.ic, a Trojan that downloads and runs other malicious modules
- Trojan.AndroidOS.Whatreg.b, the most complex Trojan in the list, signs in to the WhatsApp account on the victim’s phone, intercepting the login confirmation text
All these malware will ultimately turn the device into a spot for various types of illegal activities such as malvertising, spam distribution and illicit trading services.
How to mitigate against Triada attacks?
Most importantly, Android users should avoid installing apps from unofficial sources and always make use of their device’s privacy and security settings to deny sensitive permissions to installed apps.
And they should desist from using mods, rather they should use only the official version of the apps, downloaded from the official app stores, which certainly will mean the apps are malware-free.