Contents:
A WhatsApp clone app called “YoWhatsApp” has been found stealing access keys for users’ accounts. The app uses the same permission as the standard WhatsApp app, but it includes additional features such as the ability to customize the interface or block access to chats.
The latest version of the app has been discovered to send users’ WhatsApp access keys to a remote server, enabling threat actors to gain access and control the accounts of other users.
Malicious Alternative to WhatsApp
Analysts discovered the threat while investigating the cases of Triada Trojan hiding inside modded WhatsApp builds since last year.
According to BleepingComputer, the keys can be used in open-source utilities to connect and perform actions as if they were users, but without the actual client. Although it is not currently stated whether or not these stolen access credentials have been misused, they can result in account takeover, the exposure of private contacts’ sensitive messages, and the impersonation of trusted individuals.
Similar to the original WhatsApp app, YoWhatsApp asks for permissions such as access to SMS, which is granted to the Triada Trojan embedded in the app. With the data obtained, the trojan can sign up its victims for premium subscriptions without them knowing and earn money from its distributors.
The app is being promoted through ads via Snaptube and Vidmate, two popular video downloader apps that have suffered from malvertising in the recent past. Snaptube has been informed about the situation, so this distribution channel should be closed soon.
Another clone of the app called “WhatsApp Plus”, which has the same premise of offering the user additional customizable feature, has been spread via the VidMate app, presumably without the knowledge of its authors.
How to Stay Safe
Even if not all unofficial WhatsApp mods carry malware, it is advisable to avoid installing them to minimize the chances of getting your device infected.
Triada can take advantage of people’s confidence in their close-knit social network by using these keys to send dangerous spam from a stolen account.
Therefore, be wary of direct messages from contacts encouraging you to click on odd links or advertising software. When you get texts like these, make sure to get in touch with your friends and relatives to ask them if they sent the SMS.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.
