A malicious version of the FMWhatsapp mod transmits a Triadatrojan payload, an unpleasant surprise that harms their devices with additional Trojan, including the very hard-to-remove xHelper Trojans. FMWhatsApp also commits to enhance the WhatsApp user experience with additional features such as better privacy, custom chat theme, access to other social networks’ emoticon packs, and application locking using a PIN, password, or the touch ID.

However, as Kaspersky researchers discover, the FMWhatsapp 16.80.0 version will also drop the Tirada Trojan on users’ devices with the help of an advertising SDK. “This application was available on some of the well-known WhatsApp mod contributing sites. We are unable to transmit the links to them though,” Kaspersky security expert Igor Golovin told our experts.

“As for FMWhatsApp clones on Google Play – these applications usually contains different ads and guide users on how to download and install mods, while not exactly containing the malicious mod itself.”

Trojan Yields Devices Information and Installs More Trojan   

Once installed, Triada initiates gathering devices data and sends it to its command-and-control server, which replies with a link to an additional payload that the malware will download and start on the negotiated Android device.

As per Kaspersky, Triada will download and open multiple types of additional Trojan on the targets devices, consist of:

• Trojan-Downloader.AndroidOS.Agent. ic, which downloads and launches other malicious modules.
• Trojan-Downloader.AndroidOS.Gapac. e, which installs other malicious modules and displays full-screen ads.
• Trojan-Downloader.AndroidOS.Helper. installs the xHelper Trojan installer module and runs invisible ads in the background.
• Trojan.AndroidOS.MobOk.i signs the Android device owner up for paid subscriptions.
• Trojan.AndroidOS.Subscriber. l also signs up victims up for premium subscriptions.
• Trojan.AndroidOS.Whatreg. b harvests the info and requests the verification code to sign into the victims’ WhatsApp accounts.

Trojan dropped by Triada on FMWhatsApp users’ Android devices can easily sign them up to premium subscription given that the application requests access to the victims’ text messages when installed.

“With this application, it is very hard for users to recognize the probable threat because the mod application does what is proposed – it adds additional features,” Golovin said. “However, we have monitored how attackers have started to spread malicious files through the ad blocks in such apps. That is why we recommend you only use messenger software downloaded from official app stores. “They may lack some additional functions, but they will not install a bunch of malware on your smartphone.”

The unkillable and almost impossible to remove xHelper

Among the malware delivered by Triada, xHelper stands out through its uncanny ability to reinfect Android devices hours after being removed or after the infected devices are reset to factory settings. First observed by Malwarebytes in March 2019, when it began slowly spreading onto over 32,000 Android devices, xHelper eventually infected a total of 45,000 devices until October 2019.

xHelper uses “web redirects” to trick targets into side-loading malicious APKs from third-party Android app stores, with the installed apps downloading and launching the xHelper trojan. The trojan survives removal attempts by copying itself on the system partition, which it remounts in write mode. It also replaces the libc. so system library to block full access to the mount and prevent users from employing the same technique to remove it.

While completely sparkling the Android system on harmed devices is the most foolproof method to get rid of xHelper, Malwarebytes came up with a second method which involves installing the company’s free Malwarebytes for Android app.