Triada Malware Infects Mobile Devices Via 2021 Custom WhatsApp Build

Researchers have detected the latest version of Triada malware targeting mobile devices through an advertisement SDK.

Latest Verision Of A WhatsApp Mod, Poisoned By Triada Malware

Triada malware, a destructive and persistent trojan, has resurfaced. It was most recently spotted hiding in an advertising component of a custom version of the trendy WhatsApp messenger called FM WhatsApp.

Build 16.80.0 of FM WhatApp is compromised by the trojan. This version of the popular app is only available on unofficial app stores and is a mod that allows users to add functionality to the official app.

Researchers at Kaspersky warned on Tuesday that the latest version of Triada acts as a payload downloader, forcing up to six additional trojan apps onto Android smartphones. They can do various malicious actions – from commandeering a handset to aggressive full-screen popup ads.

“We don’t recommend using unofficial modifications of apps, especially WhatsApp mods. You may well end up with an unwanted paid subscription, or even lose control of your account altogether, which attackers can hijack to use for their own purposes, such as spreading spam sent in your name,” wrote Kaspersky cybersecurity expert Igor Golovin on Tuesday.

Foud Apps, the creator of FM WhatsApp, did not make any comments on the issue.

Triada Is Evolving

Kaspersky experts first uncovered Triada in 2016 and warned that the trojan was “almost invisible” to users and those attempting to find and remove it. They went on to describe it as “one of the most advanced mobile Trojans our malware analysts have ever encountered.”

According to Kaspersky, its 2016 version was “a modular mobile trojan that actively uses root privileges to substitute system files and exists mostly in the device’s RAM, which makes it extremely hard to detect,” according to Kaspersky. Most often, the malware was delivered post-infection via the trojans Leech, Ztorg, and Gopro.

Two years ago, Google’s Android Security and Privacy Team said Triada would be neutralized by an update to its Google Play Protect. Google observed the malware’s evolution in a blog post.

“During the summer of 2017 we noticed a change in new Triada samples. Instead of rooting the device to obtain elevating privileges, Triada evolved to become a pre-installed Android framework backdoor,” wrote Lukasz Siewierski, with Google’s Android Security and Privacy Team.

This year’s build infects Android handsets via malicious code embedded in the latest FM WhatsApp version. When the unofficial app starts, the Triada malware is decrypted and launched.

Kaspersky experts said Triada’s malicious code is similar to those embedded in APKPure and CamScanner, both now unavailable on Google Play.

An Open Backdoor

Other malware similar to Triada has caught researchers’ attention as it has been spotted pre-installed on cheaper phones as a backdoor inviting cybercriminals in.

The latest version of Triada has also changed and adapted to infect and hide on a phone. Its developers opted for a more sophisticated attack strategy instead of just relying on rooting the smartphone to elevate privileges, as they did back in 2017.

The trojan now comes pre-installed on a handset or hiding inside a malicious app. Once active, Triada abuses a call in the Android framework log function. Thus, whenever an app attempts to log something, Triada code is launched, allowing the malware to execute code in any app.

“With this app, it is hard for users to recognize the potential threat because the mod application actually does what is proposed – it adds additional features,” Kaspersky’s Golovin said.

Sources:

SecureList securelist.com/triada-trojan-in-whatsapp-mod/

ThreatPost threatpost.com/custom-whatsapp-build-malware/

Attribution:

Feature Image: Photo by Mika Baumeister on Unsplash