Last year, we wrote about the Triada Trojan inside FMWhatsApp, a modified WhatsApp build. At that time, we discovered that a dropper was found inside the distribution, along with an advertising SDK. This year, the situation has repeated, but with a different modified build, YoWhatsApp version 2.22.11.75. Inside it, we found a malicious module that we detect as Trojan.AndroidOS.Triada.eq.
Launching a malware module built into the modification
The module decrypted and launched the Trojan.AndroidOS.Triada.ef main payload.
Payload decoding and launch
In addition, the malicious module stole various keys required for legitimate WhatsApp to work. We assume that to resolve this problem, the cybercriminals had to figure out all the intricacies of the messenger before writing the new version.
The Trojan reads WhatsApp keys…
… and sends collected data to the control server
The keys of interest to the cybercriminals are typically used in open-source utilities that allow the use of a WhatsApp account without the app. If the keys are stolen, a user of a malicious WhatsApp mod can lose control over their account.
