A malicious model of the FMWhatsappWhatsApp mod delivers a Triadatrojan payload, a nasty shock that infects their units with further malware, together with the very hard-to-remove xHelper trojan.
FMWhatsApp guarantees to enhance the WhatsApp consumer expertise with added options similar to higher privateness, customized chat themes, entry to different social networks’ emoji packs, and app locking utilizing a PIN, password, or the contact ID.
Trojan harvests system data and installs extra malware
As soon as put in, Triada begins gathering system data and sends it to its command-and-control server, which replies with a hyperlink to a further payload that the trojan will obtain and launch on the compromised Android system.
In line with Kaspersky, Triada will obtain and launch a number of sorts of further malware on the targets units, together with:
- Trojan-Downloader.AndroidOS.Agent.ic, which downloads and launches different malicious modules.
- Trojan-Downloader.AndroidOS.Gapac.e, which installs different malicious modules and shows full-screen adverts.
- Trojan-Downloader.AndroidOS.Helper.a installs the xHelper Trojan installer module and runs invisible adverts within the background.
- Trojan.AndroidOS.MobOk.i indicators the Android system proprietor up for paid subscriptions.
- Trojan.AndroidOS.Subscriber.l additionally indicators up victims up for premium subscriptions.
- Trojan.AndroidOS.Whatreg.b harvests the data and requests the verification code to signal into the victims’ WhatsApp accounts.
Malware dropped by Triada on FMWhatsApp customers’ Android units can simply signal them as much as premium subscription provided that the app requests entry to the victims’ textual content messages when put in.
“With this app, it’s onerous for customers to acknowledge the potential menace as a result of the mod software truly does what’s proposed – it provides further options,” Kaspersky security expert Igor Golovin said.
“Nevertheless, we’ve noticed how cybercriminals have began to unfold malicious recordsdata by the advert blocks in such apps. That’s the reason we advocate you solely use messenger software program downloaded from official app shops.
“They might lack some further capabilities, however they won’t set up a bunch of malware in your smartphone.”
The unkillable and virtually unattainable to take away xHelper
Among the many malware delivered by Triada, xHelper stands out by its uncanny means to reinfect Android units hours after being eliminated or after the contaminated units are reset to manufacturing facility settings.
First noticed by Malwarebytes in March 2019, when it started slowly spreading onto over 32,000 Android devices, xHelper ultimately infected a total of 45,000 devices until October 2019.
xHelper makes use of “internet redirects” to trick targets into side-loading malicious APKs from third-party Android app shops, with the put in apps downloading and launching the xHelper trojan.
The trojan survives elimination makes an attempt by copying itself on the system partition, which it remounts in write mode. It additionally replaces the libc.so system library to dam full entry to the mount and forestall customers from using the identical method to take away it.
Whereas utterly reflashing the Android system on contaminated units is essentially the most foolproof technique to eliminate xHelper, Malwarebytes came up with a second method which entails putting in the corporate’s free Malwarebytes for Android app.