There is a fake version of WhatsApp going around that is stealing accounts as well as personal data from thousands of users. The report was shared by analysts at the cybersecurity company Kaspersky.
The app, called ‘Yo WhatsApp’, was promoted through ads in other Android applications such as Snaptube, which allows users to download YouTube videos – promoting itself with features Meta’s own client does not such as the ability to customise the user experience or individual chat room blocking.
The fraudulent app was discovered by Kaspersky, who found that the app sent users’ WhatsApp access keys to the developer’s remote server.
This could allow attackers to see conversations and steal data that could be used for phishing or other cyberattacks. Moreover, the attackers could use this access to “add paid subscriptions without the user’s knowledge”.
A clone of that app, called “WhatsApp Plus”, also spread through the Vidmate app, with similar features and issues. Vidmate also lets users download YouTube, Instagram, Facebook, and TikTok videos.
Unlike the original version of WhatsApp, YoWhatsApp lets you assign two mobile numbers to a single account and offers extra features such as anonymous messaging, viewing deleted messages, and protecting chats with passwords.
The analysts at Kaspersky discovered that the latest version of YoWhatsApp (v2.22.11.75) is stealing WhatsApp keys, letting attackers take control of your account. These stolen WhatsApp keys are sent to the developer’s remote server.
These keys can be used in open-source utilities to connect and perform actions as the user without the actual client.
It is unclear whether these keys have been used for any attacks so far, but it is still a cause for concern since it can lead to account takeovers, data leaks, impersonation to close contacts, and more. The app has the Triada Trojan embedded into it, which leaves an open backdoor to the app. It can exploit app permissions and register you for paid subscriptions without your knowledge.
There are other fake versions of WhatsApp as well, one of which is called “WhatsApp Plus”. It comes with the same malicious features for account stealing and more. Thankfully, neither of these apps are available on the Google Play Store, so they should not be able to harm most users at the time of writing.
Kaspersky suggests that the distribution channels will be closed soon, and says it is likely the companies were unaware malware was being shared.
“Cybercriminals are increasingly using the power of legitimate software to distribute malicious apps. This means that users who choose popular apps and official installation sources, may still fall victim to them”, the Kaspersky researchers wrote.
“In particular, malware like Triada can steal an IM account, and for example, use it to send unsolicited messages, including malicious spam. The user’s money is also at risk, as the malware can easily set up paid subscriptions for the victim.”
Kaspersky has been investigating the Trida malware in WhatsApp clones over the past year and is especially difficult to detect for two reasons: firstly, the malware modifies a core process in the Android OS that is used as a template for every application, called Zygote. When the Trojan gets into Zygote, it becomes a part of every app that is launched on the device.
Secondly, the app substitutes the phone’s system functions, concealing its modules from the list of the running processes and installed apps – which stops its processes being detected and thereby stays unknown.