Are you a WhatsApp user? If you are you may have heard of the FMWhatsApp mod.
It promises to improve the WhatsApp user experience by improving user privacy, giving access to custom chat themes, emoji packs from other social networking sites, app locking via a customizable PIN, and more.
Hackers have hijacked this legitimate and helpful mod. It's somewhat hard to detect because the poisoned mod does what it promises. In addition to providing the promised features, it also installs the Triadatrojan malware.
Triadatrojan isn't harmful in and of itself but the hackers have seen fit to bundle the XHelper trojan with the malware. Triadatrojan plants seeds in any Android device it infects that allow the hackers to install other malware as well.
The poisoned version of FMWhatsapp was found by researchers at Kaspersky. They discovered that FMWhatsapp 16.80-.0 will install the following additional malware (taken from a recent Kaspersky post on the topic).
According to the Kaspersky post:
- Trojan-Downloader.AndroidOS.Agent.ic, which downloads and launches other malicious modules.
- Trojan-Downloader.AndroidOS.Gapac.e, which installs other malicious modules and displays full-screen ads.
- Trojan-Downloader.AndroidOS.Helper.a installs the xHelper Trojan installer module and runs invisible ads in the background.
- Trojan.AndroidOS.MobOk.i signs the Android device owner up for paid subscriptions.
- Trojan.AndroidOS.Subscriber.l also signs up victims up for premium subscriptions.
- And Trojan.AndroidOS.Whatreg.b harvests the info and requests the verification code to sign into the victims' WhatsApp accounts.
The best way to avoid the poisoned version of the app is to be sure you're getting it from the Google Play Store. So far it has not made it past Google's stringent checks but the Kaspersky researchers did discover it on a number of popular WhatsApp mod distribution sites.
The FMWhatsApp mod is excellent. Just be sure you're getting the non-poisoned version of it.