Security researchers have detected a threat actor distributing a data-stealing mobile Trojan via a spoofed version of YoWhatsApp, a relatively widely used, modified version of the WhatsApp messaging application.
Users who download the app are at risk of having their WhatsApp account details stolen and being signed up for paid subscriptions they did not want or were even aware of.
Researchers at Kaspersky detected the threat recently and identified the Trojan as Triada, a malware tool that it observed last year being similarly distributed via another malicious version of YoWhatsApp.
WhatsApp mods are basically unofficial, modified versions of the social media app touting features and functionality — such as additional privacy, custom backgrounds, and bulk messaging — that the official version does not have. Since these modified social media apps are unofficial, they are not available on the official mobile app stores of Google and Apple, so users who want them must download them from unofficial sources — a practice that security experts have long warned as being especially risky. However, users often do it anyway because they see the additional functionality is worth the risk.
Malicious Mod Threatens Corporate Users
In a report this week, Kaspersky said its researchers had observed the malicious WhatsApp mod being advertised in Snaptube, a legitimate mobile app that tens of thousands of people use to download videos from Facebook, YouTube, and Instagram. It's a strategy that Kaspersky assessed as designed to lend credibility to the malicious mod.
"Since YoWhatsApp is being advertised in the Snaptube app used by hundreds of thousands of users around the world, many of them are not even aware that this modification could be dangerous," according to Kaspersky.
In fact, it's quite likely that Snaptube's own developers are unaware of a threat actor abusing the advertising feature in their app to hawk the malicious YoWhatsApp mod, the security vendor said.
In addition, the malicious mod is also available for download — as "WhatsApp Plus" — via an unofficial Android app store associated with Vidmate, a mobile app for downloading YouTube videos.
Organizations using WhatsApp for workplace communication should pay attention to threats like this, says Anton Kivva, security researcher at Kaspersky in comments to Dark Reading. An employee using the malicious version of YoWhatsApp could end up leaking sensitive business information or having their account used in phishing scams and for sending spam.
"In theory, judging by the technical capabilities of Triada Trojan, if attackers infect a corporate-owned mobile device, they could even penetrate the corporate network and search and steal sensitive information, including both business development secrets, as well as employees’ personal data," Kivva says.
Potential Impact on Businesses
Though WhatsApp is primarily a consumer-focused app, its use in business settings (along with similar encrypted messaging apps, such as Signal and Telegram) has been growing in recent years, especially with the post-COVID shift to remote and hybrid work models.
The Facebook-owned WhatsApp's release of WhatsApp Business in 2018 has also propelled a lot of its use, especially in business-to-consumer (B2C) settings. For instance, many small and midsize businesses use messaging apps to engage customers and drive brand loyalty.
"Many customers want to have human interaction when it comes to customer service, and messenger apps like this provide an easy avenue to deliver this," says Eugene Kolodenker, staff security intelligence engineer at Lookout.
In many workplaces, employees also rely on the end-to-end encryption to communicate on sensitive topics or business issues.
In all, more than 5 million organizations are reported to be using the business version of the app for customer support, advertising, and other reasons. So, criminals do look to target businesses with malware that is being distributed via the platform.
"Attackers often use the lure of new product features like this WhatsApp messenger mod to socially engineer users into downloading malware," Kolodenker says. "Even if only a few people download this malicious mod on their device, it can still do damage, and organizations that have bring-your-own-device (BYOD) policies need to stay aware of the threat."
It's important therefore for organizations to have visibility into vulnerable app or OS versions on employee devices. "Mobile attacks can come through channels outside of your security team's control — like SMS, social media, and third-party messaging platforms like WhatsApp," Kolodenker says.
Malicious mods always have serious consequences both for individuals and businesses, Kivva adds. "Therefore, it's crucial to be careful when downloading new apps from third-party sites," he says. "The malicious mod YoWhatsApp we discovered was advertised on the safe Snaptube app, but that didn't make it any less dangerous for users and only increased the number of potential victims."