Home / About / Threat Intelligence / Third-party WhatsApp "Security Overlay" found to install malware

Overview

Non-vendor supported overlays of applications that offer additional features such as additional protection mechanisms like fingerprint unlock, disappearing messages, hidden channels/chats and emojis are nothing new. These overlays require users to trust third-party developers with access to the application and the data within it. FMWhatsapp offers several of these potentially desirable features, however, has been found to install difficult to remove malware.

Impact

A trojan with access to a user’s text messages would be able to subscribe to premium services, intercept MFA codes or send malicious SMS messages from your number. Usually, messaging apps have other permissions on the phone as well which would grant them further access.

Vulnerability Detection

It is hard for users to recognise the potential threat because the application delivers the functionality that it advertises.

Containment, Mitigations & Remediations

Malware has been seen to be persistent beyond devices being factory reset because it writes itself to the system partition. It also replaces the libc.so system library to block full access to the system partition to prevent the user from removing it.

Completely reflashing the Android system on infected devices is the most foolproof method to get rid of the malware.

Indicators of Compromise

C&C
http://t1k22.c8xwor[.]com:13002/
https://dgmxn.c8xwor[.]com:13001/

MD5
b1aa5d5bf39fee0b1e201d835e4dc8de
92b5eedc73f186d5491ec3e627ecf5c0
6a39493f94d49cbaaa66227c8d6db919
61718a33f89ddc1781b4f43b0643ab2f
fa9f9727905daec68bac37f450d139cd
c3c84173a179fbd40ef9ae325a1efa15
4020a94de83b273f313468a1fc34f94d

Threat Landscape

Lots of attention is being paid to mobile devices by cybercriminals, private individuals and organisations, and Nation States, because of the value that users place on the devices and the nature of material and communications that users store on them.

Mitre Methodologies

T1444 – Masquerade as Legitimate Application
T1467 – Deliver Malicious App via Other Means
T1509 – Uncommonly Used Port

Further Information

Kaspersky FMWhatsApp mod for WhatsApp downloads Trojans
Kaspersky Triada Trojan in WhatsApp mod
Bleeping Computer Malicious WhatsApp mod infects Android devices with malware