Security researchers have discovered a threat actor distributing a data-stealing mobile Trojan through a spoofed version of YoWhatsApp, a fairly widely used modified version of the WhatsApp messaging app.
Users who download the app are at risk of having their WhatsApp account information stolen and signing up for paid subscriptions they didn’t want or even knew about.
Kaspersky researchers recently discovered the threat and identified the Trojan as Triad, a malware tool that was similarly distributed last year via another malicious version of YoWhatsApp.
WhatsApp mods are basically unofficial, modified versions of the social media app that advertise features and functions like extra privacy, custom backgrounds, and bulk messages that the official version doesn’t have. Because these modified social media apps are unofficial, they are not available in the official Google and Apple mobile app stores, so users who want to download them from unofficial sources, a practice that security experts have long warned as extremely risky. But users often do it anyway because they see the extra features as worth the risk.
Malicious modifications pose a threat to enterprise users
In a report released this week, Kaspersky said its researchers spotted a malicious WhatsApp mod being advertised on Snaptube, a legitimate mobile app used by tens of thousands of people to download videos from Facebook, YouTube and Instagram. . This is a strategy that Kaspersky has assessed as being designed to give credibility to the malicious model.
“Because YoWhatsApp is advertised on the Snaptube app, which is used by hundreds of thousands of users worldwide, many of them are not even aware that this mod can be dangerous,” Kaspersky says.
In fact, it’s highly likely that Snaptube’s developers themselves are unaware of a threat actor abusing their app’s advertising feature to hijack a malicious YoWhatsApp mod, a security vendor said.
Additionally, the malicious mod can also be downloaded as WhatsApp Plus from an unofficial Android app store linked to Vidmate, a mobile app for downloading YouTube videos.
Organizations using WhatsApp to communicate in the workplace should pay attention to threats like these, as Kaspersky security researcher Anton Kivva says in Dark Reading comments. An employee using a malicious version of YoWhatsApp can leak sensitive business information or use their account for phishing scams and spamming.
“Theoretically, judging by the technical capabilities of the Triada Trojan, attackers could even penetrate an infected company-owned mobile device into the company’s network to search for and steal sensitive information, including business development secrets as well as employees’ personal data.” “, says Kivva.
Potential business impact
While WhatsApp is primarily a consumer-focused app, its use in business environments (along with similar encrypted messaging apps such as Signal and Telegram) has been growing in recent years, especially with the post-Covid shift to remote and hybrid work models.
Facebook-owned WhatsApp in 2018 the release of WhatsApp Business has also boosted its use, especially in business-to-consumer (B2C) settings. For example, many small and medium-sized businesses use messaging apps to engage customers and build brand loyalty.
“Many customers want human interaction when it comes to customer service, and messaging apps like this are an easy way to do that,” says Eugene Kolodenker, staff security intelligence engineer at Lookout.
In many workplaces, employees also rely on end-to-end encryption to communicate sensitive topics or business matters.
In total, more than 5 million organizations reportedly use the business version of the app for customer service, advertising, and other reasons. Thus, criminals aim to target companies with malware that is distributed through the platform.
“Attackers often use new product features like this modification of WhatsApp Messenger to socially manipulate users into downloading malware,” says Kolodenker. “Even if only a few people download this malicious mod to their device, it can still cause damage, and organizations with a bring-your-own-device (BYOD) policy need to be aware of the threat.”
Therefore, it is important for organizations to be aware of vulnerable applications or OS versions on employees’ devices. “Mobile attacks can happen through channels that your security team doesn’t control, such as SMS, social media and third-party messaging platforms like WhatsApp,” Kolodenker says.
Malicious modifications always have serious consequences for both individuals and companies, Kivva adds. “That’s why it’s so important to be careful when downloading new apps from third-party sites,” he says. “The YoWhatsApp malicious mod we discovered was advertised on Snaptube, a secure app, but that didn’t make it any less dangerous for users and only increased the number of potential victims.”