Skip to main content

This WhatsApp mod will infect your Android phone — what to do

whatsapp
(Image credit: Anadolu Agency / Getty Images)

Be very careful about installing a WhatsApp mod on your Android phone — it may contain malware.

Kaspersky reported in a blog post yesterday (Aug. 24) that a certain version of a WhatsApp mod called FMWhatsapp contains malware that itself downloads and installs even worse malware. This includes the notoriously difficult-to-remove xHelper Trojan.

WhatsApp "mods" are auxiliary Android apps, mostly found outside the Google Play store, that modify how WhatsApp functions. FMWhatsApp, for example, offers to add custom themes, access other apps' emojis and app locking with a PIN, password or fingerprint.

"With this app, it is hard for users to recognize the potential threat because the mod application actually does what is proposed — it adds additional features," said Kaspersky expert Igor Golovin. 

How to avoid infection

FMWhatsapp is not in the Google Play Store at all, and only version 16.80.0 is known to be infected, so it should be pretty easy to avoid as long as you don't install apps from third-party app stores. (You have to grant apps special permissions to do so.)

Many of the best Android antivirus apps also catch the rogue version of FMWhatsapp as it's being downloaded, so they will give you added protection from it and other forms of Android malware.

What's going on here

FMWhatsapp 16.80.0 contains the Triada Trojan, a strain of mobile malware that's been around since 2017. In its current form, Triada is a "downloader" whose main purpose is to establish a backdoor through which other malware can be downloaded and installed.

Along with xHelper, Triada in this instance installs several other malware strains that diplay ads, run "hidden" ads to commit ad fraud, secretly sign up the phone user to paid subscriptions, harvest phone information and install even more Android malware.

"FMWhatsapp users grant the app permission to read their SMS messages," Golovin points out on the Kaspersky SecureList blog

"The Trojan and all the further malicious modules it loads also gain access to them. This allows attackers to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process."

"We don't recommend using unofficial modifications of apps, especially WhatsApp mods," the Kaspersky report says. "You may well end up with an unwanted paid subscription, or even lose control of your account altogether."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.