Incidents

Triada Trojan in WhatsApp mod

Table of Contents

WhatsApp users sometimes feel the official app is lacking a useful feature of one sort or another, be it animated themes, self-destructing messages which automatically delete themselves, the option of hiding certain conversations from the main list, automatic translation of messages, or the option of viewing messages that have been deleted by the sender. This is where amateurs step in with modified versions of WhatsApp which offer extra features. These mods can contain ads, usually in the form of various different banners displayed in the app. However, we discovered that the Trojan Triada snook into one of these modified versions of the messenger called FMWhatsapp 16.80.0 together with the advertising software development kit (SDK). This is similar to what happened with APKPure, where the only malicious code that was embedded in the app was a payload downloader.

Trojan loaded from advertising SDK

Trojan loaded from advertising SDK

We detect the Trojan modification as Trojan.AndroidOS.Triada.ef.

How Triada operates

Once the app is launched, the malware gathers unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) and the name of the app package where they’re deployed. The information they collect is sent to a remote server to register the device. It responds by sending a link to a payload which the Trojan downloads, decrypts and launches.

Decrypting and launching a malicious payload

Decrypting and launching a malicious payload

Decrypting and launching a malicious payload

By analyzing the statistics on files downloaded by FMWhatsapp, we identified a number of different types of malware:

The MobOk Trojan opens the subscription page to click subscribe

The MobOk Trojan opens the subscription page to click subscribe

The MobOk Trojan opens the subscription page in an invisible window to click “subscribe” while posing as the user…

The MobOk Trojan intercepts the confirmation code

…and intercepts the confirmation code to confirm the subscription

  • Trojan.AndroidOS.Subscriber.l (MD5: c3c84173a179fbd40ef9ae325a1efa15) also serves to sign victims up for premium subscriptions.
  • Trojan.AndroidOS.Whatreg.b (MD5: 4020a94de83b273f313468a1fc34f94d) signs in Whatsapp accounts on the victim’s phone. The malware gathers information about the user’s device and mobile operator, then sends it to the command and control server (C&C server). The server responds with an address to request a confirmation code and other information required to sign in. The attackers seem to have done their homework on the protocol WhatsApp uses.

Obtaining information for signing in

Obtaining information for signing in

Once the necessary IDs have been collected, the malware requests a verification code.

Requesting an SMS confirmation code

It’s worth highlighting that FMWhatsapp users grant the app permission to read their SMS messages, which means that the Trojan and all the further malicious modules it loads also gain access to them. This allows attackers to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process.

We don’t recommend using unofficial modifications of apps, especially WhatsApp mods. You may well end up with an unwanted paid subscription, or even loose control of your account altogether, which attackers can hijack to use for their own purposes, such as spreading spam sent in your name.

IOC

MD5

Trojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de

C&C
http://t1k22.c8xwor[.]com:13002/
https://dgmxn.c8xwor[.]com:13001/

Triada Trojan in WhatsApp mod

Your email address will not be published. Required fields are marked *

 

  1. shane eggers

    spyware on phone can’t contoll

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox