An unofficial version of the popular WhatsApp messaging app called YoWhatsApp has been spotted infecting devices with the known Android Trojan Triada.
Distributed via advertisements on popular Android applications like Snaptube and VidMate, YoWhatsApp v2.22.11.75 steals WhatsApp keys, enabling the threat actors to control users' accounts.
According to an advisory published by Kaspersky on Wednesday, the stolen keys are typically used in open-source utilities that allow the use of a WhatsApp account without the app.
The security experts also noted that, in other respects, the infected build of YoWhatsApp is a fully working messenger with some additional features. Upon installation, it asks for the same permissions as the original WhatsApp installer, such as access to SMS, which are then shared with the Triada Trojan.
"Cyber-criminals are increasingly using the power of legitimate software to distribute malicious apps. This means that users who choose popular apps and official installation sources may still fall victim to them," Kaspersky wrote.
In particular, malware like Triada can steal an instant messenger account and, for instance, use it to send unsolicited messages. It can also easily set up paid subscriptions for the victim.
"Fake apps have appeared on app stores for years, but it is interesting to see a duplicate app that entices people with extra features that may persuade users to favor this one," Jake Moore, global cybersecurity advisor at ESET, told Infosecurity.
"However, by using this unofficial app, it may harm users' genuine accounts or even hand over access to their accounts to fraudsters."
According to the executive, account takeover and sensitive or personal data loss are significant security risks as they can lead to further targeted attacks.
"With this added faux authenticity, people are more easily socially engineered into handing over personal financial information or even begin sophisticated cyber-attacks on businesses," Moore added.
"Avoiding alternative apps such as this is highly recommended, but younger people who may be targeted with downloading these apps may be unaware of the dangers. Even worse is when they do not care of the risks, so awareness advice needs to be carefully delivered via peers and the platforms they frequent."
The discovery behind the malicious YoWhatsApp version comes days after Zimperium discovered an Android spyware family dubbed 'RatMilad' trying to infect an enterprise device in the Middle East.