A variant of the Triada Trojan concealed itself within a WhatsApp mod for Android devices, Kaspersky found in August.

What Is Triada?

Threat actors hid Triada within the WhatsApp mod FMWhatsapp 16.80.0. The security firm also found the Trojan modification, which they named Trojan.AndroidOS.Triada.ef, gathered device IDs, MAC addresses and other unique device identifiers along with the name of the app package that deploys them.

The malware stole this information and sent it to a remote server for the purpose of registering the infected device. Once it set up this communication channel, the remote server responded with a link. The Trojan then used that link to download, decrypt and launch more files.

For instance, Triada leveraged the file Trojan-Downloader.AndroidOS.Gapac.e. This downloaded and launched other malicious modules as well as displayed full-screen ads.

The file Trojan-Downloader.AndroidOS.Helper.a arrived with similar functionality. It also used ads, only it ran them in the background to increase their views. It also downloaded and launched an installer module for xHelper, a Trojan that infected 45,000 Android devices over the span of six months back in 2019.

Meanwhile, two other files signed up the device owner for premium subscriptions. They could do this because users needed to grant FMWhatsapp permission to read their SMS text messages. Attackers used that access to confirm those premium subscriptions by providing a confirmation code received via text.

Other WhatsApp Mods Delivered Trojan Malware

Other attack campaigns involving WhatsApp made headlines in 2021.

Back in January, as an example, The Hacker News revealed that attackers were using malware to automatically respond to WhatsApp messages received from a victim’s contacts with a link to a fake Huawei mobile app. Clicking on the link caused the campaign to redirect the victim to a lookalike Google Play Store website. Once installed, the app prompted the user to grant notification access. From there, it could abuse WhatsApp and thereby spread its reach to others.

Several months later, Threatpost wrote that security researchers had spotted attackers circulating another threat via WhatsApp messages. This time, it was the FlixOnline app, which enticed WhatsApp users with a free two-month Netflix Premium subscription. The app then went about stealing a victim’s data and credentials once installed on their Android device.

Another infected mod, WhatsApp Pink, claimed to be a pink version of the official WhatsApp app. In reality, it contained a Trojan that infected a victim’s device. It spread itself to their contacts by automatically responding to their Signal, Skype and other in-app messages.

How to Defend Against Trojan Malware

The first step to avoiding threats like these is not to download unofficial modifications of apps such as WhatsApp. As discussed above, such mods can lead to premium subscriptions users don’t want or deprive them of access to their accounts altogether. There’s also the threat of malware using those mods to log into victims’ accounts and/or steal their data.

Organizations can highlight this in their security awareness training programs. Emphasize the importance of users downloading apps only from official app marketplaces, such as the Google Play Store. Discuss how activity such as pop-up ads and new credit card charges could be a sign that someone has compromised their Android device.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…