{"id":41334,"date":"2021-08-24T08:54:31","date_gmt":"2021-08-24T12:54:31","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=41334"},"modified":"2021-09-17T07:24:29","modified_gmt":"2021-09-17T11:24:29","slug":"fmwhatsapp-mod-downloads-malware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/fmwhatsapp-mod-downloads-malware\/41334\/","title":{"rendered":"FMWhatsApp mod for WhatsApp downloads Trojans"},"content":{"rendered":"

We recently discovered<\/a> that a version of popular WhatsApp mod FMWhatsApp includes an embedded Trojan. The Trojan, called Triada, downloads other malware to users\u2019 devices. Here\u2019s how it happened and why using modified versions of WhatsApp is dangerous.<\/p>\n

Why use WhatsApp mods?<\/h2>\n

Not all users are happy with the official WhatsApp app. Some may feel a need for self-destructing messages or, conversely, the ability to view messages another user deleted. Others are after dynamic themes, and still others want to hide certain chats from the general list or automatically translate messages.<\/p>\n

Naturally, they want these features right away, not when WhatsApp\u2019s developers finally get around to implementing them. As a result, some users turn to the modified WhatsApp clients available online, which are fairly numerous and not hard to find.<\/p>\n

Fans of mods are not deterred even by WhatsApp\u2019s occasional<\/a> crackdown<\/a> on such modifications or the threat of account bans.<\/p>\n

The creators of WhatsApp mods often embed ads in them \u2014 understandably \u2014 along with the features users are looking for. Problems arise, however, from their use of third-party ad modules through which malicious code can sneak in under developers\u2019 radar.<\/p>\n\n

Triada et al. in the FMWhatsApp mod<\/h2>\n

That\u2019s precisely what happened with FMWhatsApp, a popular WhatsApp mod. In version 16.80.0 the developers use third-party ad module that includes a Trojan. Our mobile antivirus<\/a> solution detects this malware as Trojan.AndroidOS.Triada.ef.<\/p>\n

We saw a similar situation in the spring of 2021 with the APKPure unofficial app store, whose developers also used an ad module from an unverified source, thereby infecting their creation<\/a>, and consequently users, with the Triada Trojan (albeit a slightly different version).<\/p>\n

As in the case of the infected APKPure, the Triada Trojan in the dangerous version of the FMWhatsApp mod performs an intermediary function. First, it collects data about the user\u2019s device, and then, depending on the information, it downloads another Trojan.<\/p>\n

Triada\u2019s \u201cextras\u201d come in a variety of flavors \u2014 the infected version of FMWhatsApp downloads several types of malware to devices:<\/p>\n