A new version of an unofficial WhatsApp Android application called ‘YoWhatsApp’ was found stealing access keys for users’ accounts.
YoWhatsApp is a fully functioning messenger app that uses the same permissions as the standard WhatsApp app and is promoted through advertisements on popular Android applications like Snaptube and Vidmate.
The app comes with extra features compared to the official WhatsApp, including the ability to customize the interface or block access to chats, which makes it more attractive for users to install.
However, YoWhatsApp v2.22.11.75 has been found to steal WhatsApp keys, which allows the threat actors to control users’ accounts.
The malicious YoWhatsApp application was first discovered by threat analysts and researchers at Kaspersky. They also have been investigating cases of the Triada Trojan hiding inside modified WhatsApp builds since 2021.
According to a report published by Kaspersky on Wednesday, the modded app sends users’ WhatsApp access keys to the developer’s remote server.
The threat analysts added that these keys can be used in open-source utilities to connect and perform actions as the user without the actual client.
The abuse of these stolen access keys by threat actors can lead to account takeover, disclosure of sensitive communications with private contacts, and impersonation to close contacts.
Similar to the official WhatsApp Android app, the malicious app requests permissions (like accessing SMS). These permissions are then also granted to the Triada Trojan embedded in the app.
Kaspersky said that the trojan can abuse these permissions to register the victims to premium subscriptions without their knowledge and generate income for the distributors.
The modded YoWhatsApp was promoted through ads on Snaptube, a very popular video downloader that has fallen victim to malicious advertising in the past.
Kaspersky informed Snaptube about cybercriminals pushing malicious apps through its ad platform.
The malicious app included features like a customizable interface, individual chat room blocks, and others not offered by WhatsApp.
Additionally, Kaspersky discovered a YoWhatsApp clone called “WhatsApp Plus,” which featured the same malicious functionality and was spread via the VidMate app.
Earlier this month, Meta also sued several Chinese companies for developing “unofficial” WhatsApp apps that stole over one million user accounts.