{"id":20239,"date":"2022-10-12T14:47:35","date_gmt":"2022-10-12T10:47:35","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/why-messenger-mods-are-dangerous\/20239\/"},"modified":"2022-10-12T14:47:35","modified_gmt":"2022-10-12T10:47:35","slug":"why-messenger-mods-are-dangerous","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/why-messenger-mods-are-dangerous\/20239\/","title":{"rendered":"Why messenger mods are dangerous"},"content":{"rendered":"<p>Another WhatsApp modification, known as YoWhatsApp, has turned out to be malicious: it downloads the Triada Trojan to smartphones, which shows ads, secretly subscribes the user to paid content, and steals WhatsApp accounts. How did this happen and what lessons can we learn?<\/p>\n<h2>Don\u2019t feed crocodiles with your hand, or Simple Cybersecurity Rules<\/h2>\n<p>Probably the most important rule of information security is to reduce your risks. To do this:<\/p>\n<ul>\n<li>Don\u2019t visit suspicious websites \u2014 they may contain malicious ads or be a front for a phishing scam.<\/li>\n<li>Don\u2019t download hacked versions of programs via torrents. If you do, there\u2019s a good chance that <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/crack\/\" target=\"_blank\" rel=\"noopener\">cracks<\/a> will contain a <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/trojan-psw-psw-password-stealing-ware\/\" target=\"_blank\" rel=\"noopener\">password-stealing Trojan<\/a>, for example.<\/li>\n<li>Don\u2019t click on links in e-mails that were sent from unknown addresses, and don\u2019t open attachments \u2014 there could be all kinds of malware lurking there.<\/li>\n<\/ul>\n<p>You get the idea: being careful goes a long way toward protecting yourself against cyberthreats.<\/p>\n<p>At the same time, it\u2019s still important to keep your antivirus enabled and updated \u2014 as insurance in case something happens. Don\u2019t tempt fate by doing the online equivalent of walking down a deserted alley late at night. If you apply a little bit of common sense, you can greatly reduce your chances of falling prey to scammers.<\/p>\n<p>In addition to the above-listed ways to lower the risk of something bad happening, it\u2019s worth adding one more: don\u2019t download mobile apps from unofficial sources. Google and Apple verify apps before adding them to their stores, so the chances of encountering malware there are slim \u2014 albeit still not zero (especially <a href=\"https:\/\/www.kaspersky.com\/blog\/harly-trojan-subscriber\/45573\/\" target=\"_blank\" rel=\"noopener nofollow\">in the case of Google Play<\/a>). Huawei does the same with its Huawei AppGallery store, although malware has already been found there too. But it\u2019s much more likely that you\u2019ll run into malware on open platforms that let you simply download an <a href=\"https:\/\/en.wikipedia.org\/wiki\/Apk_(file_format)\" target=\"_blank\" rel=\"nofollow noopener\">APK file<\/a>.<\/p>\n<p>There\u2019s another key security rule: don\u2019t use unofficial clients for messaging apps. To understand why this is important, let\u2019s take a few steps back and look a little more closely at how messaging apps work.<\/p>\n<p>Most of them operate according to the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Client%E2%80%93server_model\" target=\"_blank\" rel=\"nofollow noopener\">client-server model<\/a>, where the user interacts directly with the client app. Data exchange between client and server occurs through a special <a href=\"https:\/\/en.wikipedia.org\/wiki\/Communication_protocol\" target=\"_blank\" rel=\"nofollow noopener\">protocol<\/a>. For many messaging apps this protocol is open. This makes it possible to create unofficial modified clients with additional features, such as viewing messages other users have deleted, creating mass mailings, customizing the interface, and so on.<\/p>\n<p>So where\u2019s the danger? With official clients, you\u2019re entrusting your correspondence only to the creator of the messaging app. When you use an unofficial client, you\u2019re entrusting it not only to the developers of the messaging system but also to the developers of the unofficial client app. On top of that, the modified client may be distributed through unofficial sources (which, as we recall, shouldn\u2019t be trusted). All these are additional stages where something can go wrong \u2014 in other words, there are extra risks.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kisa-generic-2\">\n<h2>What\u2019s up, Triada<\/h2>\n<p>Naturally, something did go wrong, repeating the scenario we wrote about last year. To recap: back then, attackers <a href=\"https:\/\/www.kaspersky.com\/blog\/fmwhatsapp-mod-downloads-malware\/41334\/\" target=\"_blank\" rel=\"noopener nofollow\">infected the FMWhatsapp mod<\/a> with a <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/trojan-droppers\/\" target=\"_blank\" rel=\"noopener\">dropper<\/a> that downloaded a multifunctional Trojan \u2014 <a href=\"https:\/\/www.kaspersky.com\/blog\/triada-trojan\/11481\/\" target=\"_blank\" rel=\"noopener nofollow\">Triada<\/a> \u2014 onto users\u2019 devices. This modular Trojan mainly shows ads and signs the user up for paid content.<\/p>\n<p>Now, practically the same thing has happened \u2014 with the same messaging app but a different unofficial client. This time, the YoWhatsApp mod, also known as YoWA, <a href=\"https:\/\/securelist.com\/malicious-whatsapp-mod-distributed-through-legitimate-apps\/107690\/\" target=\"_blank\" rel=\"nofollow noopener\">has been infected<\/a>. This mod attracts users with expanded privacy options, the ability to transfer files up of to 700 MB, increased speed, and so on.<\/p>\n<p>Apparently YoWhatsApp caught the eye of the malware distributors because it has a significant user base. Also, the fact that the mod wasn\u2019t allowed on Google Play played into the hands of the criminals. Therefore, users are accustomed to downloading YoWhatsApp from sources of varying degrees of trustworthiness. One of the main distribution channels for the infected version of the mod was advertising in <a href=\"https:\/\/en.wikipedia.org\/wiki\/Snaptube\" target=\"_blank\" rel=\"nofollow noopener\">SnapTube<\/a>, an app for downloading video and audio. SnapTube owners themselves probably didn\u2019t even suspect that one of its advertising campaigns was spreading malware.<\/p>\n<p>Along with the infected YoWhatsApp, users got a dropper that delivered the Triada Trojan to their device. Unlike last year\u2019s campaign, this time the dropper wasn\u2019t the only thing that came with the Trojan. An additional feature was added to YoWhatsApp that allow intruders to steal the keys required for WhatsApp to operate. These keys are enough to hijack an account and use it to do things like distributing malware or extracting money from the victim\u2019s contacts.<\/p>\n<p>As a result, the user not only loses money \u2014 since Triada signs them up for paid subscriptions \u2014 but also risks compromising their contacts, to whom the criminals may try to write in the user\u2019s name.<\/p>\n<h2>How to protect yourself from malware on Android<\/h2>\n<p>The best way to fight malware is to avoid situations where you might get it in the first place. In this case, there are three simple rules to follow to protect yourself:<\/p>\n<ul>\n<li>Don\u2019t download apps from unknown sources. In fact, it\u2019s a good idea to <a href=\"https:\/\/www.kaspersky.com\/blog\/unknown-apps-android\/41656\/\" target=\"_blank\" rel=\"noopener nofollow\">block<\/a> the ability to install apps from places other than Google Play on your Android smartphone.<\/li>\n<li>Don\u2019t install alternative clients for messaging apps. Even if official versions of apps aren\u2019t always ideal, they\u2019re much more reliable and secure.<\/li>\n<li>Use good protection and always keep it enabled. <a href=\"https:\/\/me-en.kaspersky.com\/mobile-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kdaily_wpplaceholder_sm-team___kisa____3d7d2c33c4c17a10\" target=\"_blank\" rel=\"noopener\">Kaspersky for Android<\/a> can detect different modifications of the Triada Trojan and other Android malware and block them before they have a chance to wreak havoc. Keep in mind that with the free version of our mobile protection you need to manually run the scan every time you download or install something new. The full version automatically scans every new app.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kisa-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Another modification of WhatsApp has turned out to be malicious. We explain what\u2019s happened and how to stay protected.<\/p>\n","protected":false},"author":696,"featured_media":20240,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1486],"tags":[105,577,521,2441,692,520],"class_list":{"0":"post-20239","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-android","10":"tag-messengers","11":"tag-threats","12":"tag-triada","13":"tag-trojans","14":"tag-whatsapp"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/why-messenger-mods-are-dangerous\/20239\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/why-messenger-mods-are-dangerous\/24761\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/why-messenger-mods-are-dangerous\/27238\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/why-messenger-mods-are-dangerous\/25089\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/why-messenger-mods-are-dangerous\/25406\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/why-messenger-mods-are-dangerous\/27956\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/why-messenger-mods-are-dangerous\/27287\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/why-messenger-mods-are-dangerous\/34093\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/why-messenger-mods-are-dangerous\/11103\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/why-messenger-mods-are-dangerous\/45788\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/why-messenger-mods-are-dangerous\/19614\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/why-messenger-mods-are-dangerous\/20183\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/why-messenger-mods-are-dangerous\/29398\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/why-messenger-mods-are-dangerous\/28549\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/why-messenger-mods-are-dangerous\/25518\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/why-messenger-mods-are-dangerous\/31136\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/why-messenger-mods-are-dangerous\/30826\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=20239"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20239\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/20240"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=20239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=20239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=20239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}