One of the most popularly used Instant Messaging services, WhatsApp, has many Mods that can install special features that are not provided by the original developer. One of the many Mods of WhatsApp is the FMWhatsApp that offers better privacy, App Locker, Chat Themes, and Emoji Packs. But there is something else that provides its users and that is Triada Malware which makes way for the nasty and almost impossible-to-remove, xHelper Trojan.
Researchers at Kaspersky have made an amazing discovery about the WhatsApp Mod named FMWhatsApp version 16.80.0 that drops the Triada trojan on all the installed devices using a Software Deployment Kit for advertising. The Kaspersky Security Expert, Igor Golovin, stated that all the FMWhatsApp Clones available on Google Play do not contain malicious mods but contain ads and instructions on how to download and install other mods. He further stated that “This app was available on some popular WhatsApp mods distributing sites. We cannot share the links to them though,”.
What is Triada Malware?
Triada Malware was initially discovered in 2016 by Kaspersky researchers who categorized it as a mobile supply chain malware that used to deliver other malware on victim’s devices. The new version discovered recently enters a user’s device through the Advertising Software Development Kit deployed by the FM WhatsApp mod for monetary purposes.
Once the Trida malware enters a device it acts as a payload downloader and injects up to six other Trojans into the infected device. These Trojans can be used to perform malicious activities on the victim’s phone. Kaspersky has called Triada an almost invisible malware and one of the most advanced mobile Trojans ever.
Previous versions of Triada were also found on CamScanner and APKPure in 2019 by Kaspersky on Google Play Store.
How Does Triada Malware function on the Installed devices?
The Triada malware installs on the users’ device with the help of FMWhatsApp and initiates collecting device information only to send it to its aligned server. The Command & Control server provides an additional payload that is downloaded and launched on the infected Android device. There isn’t a specific type of malware downloaded but random types can be launched as shown in the following table
|Trojan-Downloader.AndroidOS.Agent.ic||Downloads and launches malicious modules|
|Trojan-Downloader.AndroidOS.Gapac.e||Displays full-screen ads and installs other malicious modules.|
|Trojan-Downloader.AndroidOS.Helper.a||Installs one of the most dreaded xHelper Trojan installer modules and runs invisible ads|
|Trojan.AndroidOS.MobOk.i||Signs up the device users for paid subscriptions.|
|Trojan.AndroidOS.Subscriber.l||Once installed, it signs up the users for a premium subscription|
|Trojan.AndroidOS.Whatreg.b||Harvest device information and sign into WhatsApp account|
In addition to the above Trojans, different types of malware can be downloaded and gain access to the User’s device. This is possible because when the user downloads FMWhatsApp it asks for various permissions like text messages, phone apps, etc. However, the FMWhatsApp mod does provide all the features it promises which makes it difficult to detect this mod as a malware dispenser. The malicious files are generally spread through ad blocks in these apps.
It is recommended to download any software from the official App stores like Google Play Store. Amazon, Samsung Galaxy Store, etc. Although the official versions may not have some of the fancy features that you can use to impress your friends, at least they guarantee safety and security after install. There is no malware hidden within the official version of these popular apps.
What Is The Most- Dreaded xHelper Trojan And Why Is It Considered So Dreadful?
The Triada malware installs a bunch of other malware on your Android device and the worst of them all is the XHelper Trojan. It is malware that is nearly impossible to remove from your device and specializes in reinfecting Android devices after being deleted. It can even appear again after your phone is reset to factory settings.
The xHelper Trojan was first discovered by Malwarebytes in March 2019 and it has soon covered and infected 45000 until October 2019. It was observed that this malware used “Web Directs” and coerced users to download malicious apps from third-party app stores. The next step of the xHelper Trojan is to copy itself to the system partition of the device to protect itself and survive the attempts made to remove it. It can remount the system partition in write mode and also replaces the Libc.so file. Once the system library has been replaced the dreaded trojan can block the user’s access to the mount and ensure nobody can remove it.
How Can xHelper Trojan Be Removed From Your Android Device?
The most reliable way to remove this malware is by reflashing the Android system. This is more powerful than a factory reset as it wipes out every bit of software information and induces a new copy of the operating system and other system tools.
Note: Malware bytes claims that the free version of the Malware App for Android can remove this trojan successfully.
The Final Word On WhatsApp Mod infects Android devices with an Impossible-To-Remove malware
It has been strongly recommended by security experts to use official versions of the apps only from legit App Stores. Malware like Triada is preinstalled on budget phones in some cases to provide a backdoor. The malicious actors use this backdoor to take advantage of the device by gaining access to the device and probably the rights to control it as well. A real-time Android Optimizer app like Smart Phone Cleaner will help protect your device and keep your phone optimized at all times.