YoWhatsApp, an unofficial mod application of WhatsApp for Android, has been caught stealing users’ accounts and personal data by threat analysts at Kaspersky, who have been investigation cases of the Triada Trojan hiding inside modified WhatsApp builds since last year.
According to the Bleeping Computer, who shared the Kaspersky report, YoWhatsApp is a fully functioning messenger application on Android that uses the same permissions as the standard WhatsApp and it is promoted through advertisements on popular Android applications like SnapTube and VidMate.
Being a mod version of WhatsApp for Android, YoWhatsApp offers users additional features over the regular application, such as the ability to customize the interface or block access to chats, which entices users to opt for the unofficial WhatsApp application instead of using the original.
However, threat analysts at Kaspersky have discovered that YoWhatsApp V126.96.36.199 has been stealing WhatsApp access keys and enabling the threat actors to control users’ accounts. According to the report, the modded WhatsApp sends users’ WhatsApp access keys to the developer’s remote server.
The report states that these keys can be used in open-source utilities to connect and perform actions in a WhatsApp account without the knowledge of the user and the actual client. However, Kaspersky has not confirmed whether these stolen access keys have been abused but they can be used for an account takeover and disclosure of personal information.
YoWhatsApp was being promoted by developers through advertisements on applications like SnapTube, a very popular video downloader available for Android users, and Kaspersky has informed them about cybercriminals pushing malicious apps through its ad platform.
Furthermore, Kaspersky has also found a clone of YoWhatsApp by the name of ‘WhatsApp Plus’ that features the same malicious functionality and promotion techniques.
Kaspersky says that not all unofficial WhatsApp mods are malicious but avoid them altogether is the best choice if the user wants to minimize chances of installing a malware. This includes apps that need to be downloaded in the form of APKs of XAPK packages outside of Google Play Store.