Be very careful about installing a WhatsApp mod on your Android phone — it may contain malware.
Kaspersky reported in a blog post yesterday (Aug. 24) that a certain version of a WhatsApp mod called FMWhatsapp contains malware that itself downloads and installs even worse malware. This includes the notoriously difficult-to-remove xHelper Trojan.
- SteelSeries mice, keyboards hijack Windows 10 — what you can do
- The best WhatsApp alternatives
- Plus: Hundreds of thousands of home Wi-Fi routers attacked — what to do
WhatsApp "mods" are auxiliary Android apps, mostly found outside the Google Play store, that modify how WhatsApp functions. FMWhatsApp, for example, offers to add custom themes, access other apps' emojis and app locking with a PIN, password or fingerprint.
"With this app, it is hard for users to recognize the potential threat because the mod application actually does what is proposed — it adds additional features," said Kaspersky expert Igor Golovin.
How to avoid infection
FMWhatsapp is not in the Google Play Store at all, and only version 16.80.0 is known to be infected, so it should be pretty easy to avoid as long as you don't install apps from third-party app stores. (You have to grant apps special permissions to do so.)
Many of the best Android antivirus apps also catch the rogue version of FMWhatsapp as it's being downloaded, so they will give you added protection from it and other forms of Android malware.
What's going on here
FMWhatsapp 16.80.0 contains the Triada Trojan, a strain of mobile malware that's been around since 2017. In its current form, Triada is a "downloader" whose main purpose is to establish a backdoor through which other malware can be downloaded and installed.
Along with xHelper, Triada in this instance installs several other malware strains that diplay ads, run "hidden" ads to commit ad fraud, secretly sign up the phone user to paid subscriptions, harvest phone information and install even more Android malware.
"FMWhatsapp users grant the app permission to read their SMS messages," Golovin points out on the Kaspersky SecureList blog.
"The Trojan and all the further malicious modules it loads also gain access to them. This allows attackers to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process."
"We don't recommend using unofficial modifications of apps, especially WhatsApp mods," the Kaspersky report says. "You may well end up with an unwanted paid subscription, or even lose control of your account altogether."