Malicious WhatsApp Mod Infects Android Devices With Malware

A malicious version of the FMWhatsappWhatsApp mod delivers a Triadatrojan payload, a nasty surprise that infects their devices with additional malware, including the very hard-to-remove xHelper trojan.

FMWhatsApp promises to improve the WhatsApp user experience with added features such as better privacy, custom chat themes, access to other social networks’ emoji packs, and app locking using a PIN, password, or the touch ID.

However, as Kaspersky researchers found, the FMWhatsapp 16.80.0 version will also drop the Triada trojan on users’ devices with the help of an advertising SDK.

Also Read: Vulnerability Management For Cybersecurity Dummies

“This app was available on some popular WhatsApp mods distributing sites. We cannot share the links to them though,” Kaspersky security expert Igor Golovin told BleepingComputer.

“As for [FMWhatsApp clones] on Google Play — these applications usually only contain various ads and instruct users on how to download and install mods, while not actually containing the malicious mods themselves.”

Trojan harvests device info and installs more malware

Once installed, Triada starts collecting device information and sends it to its command-and-control server, which replies with a link to an additional payload that the trojan will download and launch on the compromised Android device.

According to Kaspersky, Triada will download and launch multiple types of additional malware on the targets devices, including:

• Trojan-Downloader.AndroidOS.Agent.ic, which downloads and launches other malicious modules.
• Trojan-Downloader.AndroidOS.Gapac.e, which installs other malicious modules and displays full-screen ads.
• Trojan-Downloader.AndroidOS.Helper.a installs the xHelper Trojan installer module and runs invisible ads in the background.
• Trojan.AndroidOS.MobOk.i signs the Android device owner up for paid subscriptions.
• Trojan.AndroidOS.Subscriber.l also signs up victims up for premium subscriptions.
• Trojan.AndroidOS.Whatreg.b harvests the info and requests the verification code to sign into the victims’ WhatsApp accounts.

Malware dropped by Triada on FMWhatsApp users’ Android devices can easily sign them up to premium subscription given that the app requests access to the victims’ text messages when installed.

Also Read: The Financial Cost of Ransomware Attack

“With this app, it is hard for users to recognize the potential threat because the mod application actually does what is proposed – it adds additional features,” Golovin said.

“However, we have observed how cybercriminals have started to spread malicious files through the ad blocks in such apps. That is why we recommend you only use messenger software downloaded from official app stores.

“They may lack some additional functions, but they will not install a bunch of malware on your smartphone.”

The unkillable and almost impossible to remove xHelper

Among the malware delivered by Triada, xHelper stands out through its uncanny ability to reinfect Android devices hours after being removed or after the infected devices are reset to factory settings.

First observed by Malwarebytes in March 2019, when it began slowly spreading onto over 32,000 Android devices, xHelper eventually infected a total of 45,000 devices until October 2019.

xHelper uses “web redirects” to trick targets into side-loading malicious APKs from third-party Android app stores, with the installed apps downloading and launching the xHelper trojan.

The trojan survives removal attempts by copying itself on the system partition, which it remounts in write mode. It also replaces the libc.so system library to block full access to the mount and prevent users from employing the same technique to remove it.

While completely reflashing the Android system on infected devices is the most foolproof method to get rid of xHelper, Malwarebytes came up with a second method which involves installing the company’s free Malwarebytes for Android app.

Update: Added Igor Golovin’s statement on FMWhatsApp’s Google Play clones.