{"id":2964,"date":"2021-08-25T20:20:26","date_gmt":"2021-08-25T14:50:26","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2964"},"modified":"2021-08-25T20:20:28","modified_gmt":"2021-08-25T14:50:28","slug":"how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/","title":{"rendered":"How the Malicious WhatsApp mod Harms Android Devices with Trojan"},"content":{"rendered":"\n<p><p style=\"text-align: justify;\">A malicious version of the FMWhatsapp mod transmits a Triadatrojan payload, an unpleasant surprise that harms their devices with additional Trojan, including the very hard-to-remove xHelper Trojans. FMWhatsApp also commits to enhance the WhatsApp user experience with additional features such as better privacy, custom chat theme, access to other social networks\u2019 emoticon packs, and application locking using a PIN, password, or the touch ID.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">However, as Kaspersky researchers discover, the FMWhatsapp 16.80.0 version will also drop the Tirada Trojan on users\u2019 devices with the help of an advertising SDK. \u201cThis application was available on some of the well-known WhatsApp mod contributing sites. We are unable to transmit the links to them though,\u201d Kaspersky security expert Igor Golovin told our experts.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">\u201cAs for FMWhatsApp clones on Google Play \u2013 these applications usually contains different ads and guide users on how to download and install mods, while not exactly containing the malicious mod itself.\u201d<\/p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Trojan Yields Devices Information and Installs More Trojan&nbsp;&nbsp;<\/strong>&nbsp;<\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">Once installed, Triada initiates gathering devices data and sends it to its command-and-control server, which replies with a link to an additional payload that the malware will download and start on the negotiated Android device.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">As per Kaspersky, Triada will download and open multiple types of additional Trojan on the targets devices, consist of:<\/p><\/p>\n\n\n\n<ul><li>Trojan-Downloader.AndroidOS.Agent. ic, which downloads and launches other malicious modules.<\/li><li>Trojan-Downloader.AndroidOS.Gapac. e, which installs other malicious modules and displays full-screen ads.<\/li><li>Trojan-Downloader.AndroidOS.Helper. installs the xHelper Trojan installer module and runs invisible ads in the background.<\/li><li>Trojan.AndroidOS.MobOk.i signs the Android device owner up for paid subscriptions.<\/li><li>Trojan.AndroidOS.Subscriber. l also signs up victims up for premium subscriptions.<\/li><li>Trojan.AndroidOS.Whatreg. b harvests the info and requests the verification code to sign into the victims&#8217; WhatsApp accounts.<\/li><\/ul>\n\n\n\n<p><p style=\"text-align: justify;\">Trojan dropped by Triada&nbsp;on FMWhatsApp users\u2019 Android devices can easily sign them up to premium subscription given that the application requests access to the victims\u2019 text messages when installed.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">&#8220;With this application, it is very hard for users to recognize the probable threat because the mod application does what is proposed \u2013 it adds additional features,&#8221; Golovin said. &#8220;However, we have monitored how attackers have started to spread malicious files through the ad blocks in such apps. That is why we recommend you only use messenger software downloaded from official app stores. &#8220;They may lack some additional functions, but they will not install a bunch of malware on your smartphone.&#8221;<\/p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The unkillable and almost impossible to remove xHelper<\/strong><\/h2>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"300\" height=\"168\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/Malicious-WhatsApp-mod-Harms-Android-Devices-with-Trojan-image1.jpg\" alt=\"How-the-Malicious-WhatsApp-mod-Harms-Android-Devices-with-Trojan-image1\" class=\"wp-image-2966\"\/><\/figure><\/div>\n\n\n\n<p><p style=\"text-align: justify;\">Among the malware delivered by Triada, xHelper stands out through its uncanny ability to reinfect Android devices hours after being removed or after the infected devices are reset to factory settings. First observed by Malwarebytes in March 2019, when it began slowly spreading onto over 32,000 Android devices, xHelper eventually infected a total of 45,000 devices until October 2019.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">xHelper uses &#8220;web redirects&#8221; to trick targets into side-loading malicious APKs from third-party Android app stores, with the installed apps downloading and launching the xHelper trojan. The trojan survives removal attempts by copying itself on the system partition, which it remounts in write mode. It also replaces the libc. so system library to block full access to the mount and prevent users from employing the same technique to remove it.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">While completely sparkling the Android system on harmed devices is the most foolproof method to get rid of xHelper, Malwarebytes came up with a second method which involves installing the company&#8217;s free Malwarebytes for Android app.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A malicious version of the FMWhatsapp mod transmits a Triadatrojan payload, an unpleasant surprise that harms their devices with additional Trojan, including the very hard-to-remove xHelper Trojans. FMWhatsApp also commits to enhance the WhatsApp user experience with additional features such as better privacy, custom chat theme, access to other social networks\u2019 emoticon packs, and application [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":2967,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.11 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How the Malicious WhatsApp mod Harms Android Devices with Trojan - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How the Malicious WhatsApp mod Harms Android Devices with Trojan - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"A malicious version of the FMWhatsapp mod transmits a Triadatrojan payload, an unpleasant surprise that harms their devices with additional Trojan, including the very hard-to-remove xHelper Trojans. FMWhatsApp also commits to enhance the WhatsApp user experience with additional features such as better privacy, custom chat theme, access to other social networks\u2019 emoticon packs, and application [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-25T14:50:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-25T14:50:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/Malicious-WhatsApp-mod-Harms-Android-Devices-with-Trojan-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"How the Malicious WhatsApp mod Harms Android Devices with Trojan\",\"datePublished\":\"2021-08-25T14:50:26+00:00\",\"dateModified\":\"2021-08-25T14:50:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/\"},\"wordCount\":589,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/\",\"url\":\"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/\",\"name\":\"How the Malicious WhatsApp mod Harms Android Devices with Trojan - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-08-25T14:50:26+00:00\",\"dateModified\":\"2021-08-25T14:50:28+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How the Malicious WhatsApp mod Harms Android Devices with Trojan\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How the Malicious WhatsApp mod Harms Android Devices with Trojan - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/","og_locale":"en_US","og_type":"article","og_title":"How the Malicious WhatsApp mod Harms Android Devices with Trojan - Xiarch Solutions Private Limited","og_description":"A malicious version of the FMWhatsapp mod transmits a Triadatrojan payload, an unpleasant surprise that harms their devices with additional Trojan, including the very hard-to-remove xHelper Trojans. FMWhatsApp also commits to enhance the WhatsApp user experience with additional features such as better privacy, custom chat theme, access to other social networks\u2019 emoticon packs, and application [&hellip;]","og_url":"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-08-25T14:50:26+00:00","article_modified_time":"2021-08-25T14:50:28+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/Malicious-WhatsApp-mod-Harms-Android-Devices-with-Trojan-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"How the Malicious WhatsApp mod Harms Android Devices with Trojan","datePublished":"2021-08-25T14:50:26+00:00","dateModified":"2021-08-25T14:50:28+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/"},"wordCount":589,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/","url":"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/","name":"How the Malicious WhatsApp mod Harms Android Devices with Trojan - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-08-25T14:50:26+00:00","dateModified":"2021-08-25T14:50:28+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/how-the-malicious-whatsapp-mod-harms-android-devices-with-trojan\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How the Malicious WhatsApp mod Harms Android Devices with Trojan"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2964"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2964"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2964\/revisions"}],"predecessor-version":[{"id":2968,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2964\/revisions\/2968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2967"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2964"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2964"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}