An official WhatsApp application for Android devices, named ‘YoWhatsApp’, has been found stealing access keys for users’ accounts.
YoWhatsApp is a fully working messenger app that uses the same permissions as the standard WhatsApp app and is promoted through advertisements on popular Android applications like Snaptube and Vidmate.
The app lets users communicate with two WhatsApp numbers on a single device and offers features such as anonymous messaging, the ability to view people’s deleted messages, and password-protecting specific chats.
However, analysts at Kaspersky found that YoWhatsApp v2.22.11.75 was stealing WhatsApp keys, enabling the threat actors to control users’ accounts.
According to a report published by Kaspersky, the modded application sends users’ WhatsApp access keys to the developer’s remote server. “These keys can be used in open-source utilities to connect and perform actions as the user without the actual client,” it added.
While Kaspersky has not stated whether these stolen access keys have been abused, they can lead to account takeover, disclosure of sensitive communications with private contacts, and impersonation to close contacts.
Like the real WhatsApp Android app, the malicious app requests permissions, like accessing SMS, which is also granted to the Triada Trojan that’s embedded in the app.
Kaspersky noted that the trojan could exploit the permissions and register users to premium subscriptions while leaving them unaware.
The modded YoWhatsApp is promoted via ads in Snaptube, a very popular video downloader that has suffered from malvertising in the recent past. Kaspersky has informed Snaptube about cybercriminals pushing malicious apps through its ad platform.
Kaspersky also found a YoWhatsApp clone named “WhatsApp Plus,” featuring the same malicious functionality, spread via the VidMate app, presumably without its authors knowing about it.
from Science and Technology News - Latest science and technology news https://ift.tt/0sEIzKw