Monday, July 15, 2024
EHA

Beware!! New “WhatsApp mod” Hack Your Mobile To Spy Your Activities & Steal SMS Data

Researchers uncovered a new modified version of WhatsApp called called “FMWhatsapp” that comes with an advertising software development kit and drops a Triada Trojan to spy on your devices and steal the SMS data.

WhatsApp users are always curious about the new features since the original version has lacking with some expected features such as animated themes, self-destructing messages which automatically delete themselves, view messages that have been deleted by the sender, and so on.

This is a huge advance for the threat actors to release the modified version of WhatsApp with some extra features along with ads and displayed to the victims via different banners.

The uncovered modified version “FMWhatsapp” comes with the malicious code embedded within the app and the code employed as a payload downloader.

Experts from Kaspersky, The modified version seeking permission from the victims grant the app permission to read their SMS message, also other malicious modules loads also gain access to them.

Triada Trojan Infection Process

Once the victims downloaded and launched the app, the malware starts gathering device information such as MAC addresses, subscribers ID’s, Devices IDs and sends the details to the removed server and registers the device.

Diving deep into the App, researchers uncovered that the FMWhatsapp drops the different types of malware of the following:-

  • Trojan-Downloader.AndroidOS.Agent.ic – downloads and launches other malicious modules.
  • Trojan-Downloader.AndroidOS.Gapac.e – downloads and launches other malicious modules. Apart from that, it displays full-screen ads when users least expect them to pop up.
  • Trojan-Downloader.AndroidOS.Helper.a – downloads and launches the xHelper Trojan installer module. It also runs invisible ads in the background to increase the number of views they get.
  • Trojan.AndroidOS.MobOk.i – signs the device owner up for paid subscriptions.
  • Trojan.AndroidOS.Subscriber.l  – Signup victims for premium subcription.
  • Trojan.AndroidOS.Whatreg.b – Sign the victims whatsapp account and gathering the information such as device and mobile operator and send those details to C2 server.

Most important activities that performed by the FMWhatsApp is to  read their SMS messages, automatic sign to premium subscription.

IOC

MD5

b1aa5d5bf39fee0b1e201d835e4dc8de
92b5eedc73f186d5491ec3e627ecf5c0
6a39493f94d49cbaaa66227c8d6db919
61718a33f89ddc1781b4f43b0643ab2f
fa9f9727905daec68bac37f450d139cd
c3c84173a179fbd40ef9ae325a1efa15
 4020a94de83b273f313468a1fc34f94d

C&C
http://t1k22.c8xwor[.]com:13002/
https://dgmxn.c8xwor[.]com:13001/

Website

Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles