• Home
  • |
  • Blog
  • |
  • How Does FMWhatsApp Hack Your SmartPhones? What You Should Do To Prevent It?
How Does FMWhatsApp Hack Your SmartPhones

When users see the modified WhatsApp apps offering many more features with attractive color and animation, some of them will be amazed and can’t stop themselves from installing and play with it. But, they don’t know that they are playing with the malware, which could cause potential damage to their privacy, could compromise their confidential information like their emails, SMSs, saved credentials. One such modified version of WhatsApp, ‘ FMWhatsApp’ is identified, which is trojanized to intercept text messages, display full-screen ads, serve malicious payloads, and enroll device owners for unwanted premium subscriptions without their knowledge. Let’s explore how does FMWattsApp hacks your smartphone and what you can do to prevent it.

How Does FMWhatsApp Hack Your SmartPhones Using Trojan Triada?

Russian cybersecurity firm Kaspersky published a technical report which says that “Trojan Triada snook into one of these modified versions of the messenger called FMWhatsapp 16.80.0 together with the advertising software development kit (SDK).” Let’s see how does FMWattsApp hack your smartphone.

  1. When a user downloads FMWhatsApp on his Android device, he also downloads an advertising software development kit (SDK) which brings Trojan Triada to the device.
  2. When the user launches the app, Triada gathers unique device identifiers like Device IDs, Subscriber IDs, MAC addresses, service provider’s name, and location.
  3. The trojan registers the device with a remote server by sending all the captured device details to the remote server.
  4. The remote server responds to the device with a link that can be used to downloads a payload from the remote server.
  5. Files downloaded by the FMWhatsApp on the Victim’s device:
    1. Trojan-Downloader.AndroidOS.Agent.ic: It downloads malicious modules.
    2. Trojan-Downloader.AndroidOS.Gapac.e: It not just downloads and launches malicious modules, it also displays full-screen ads to the user.
    3. Trojan-Downloader.AndroidOS.Helper.a: It downloads and launches the xHelper Trojan installer module. And, it also runs ads in the background.
    4. Trojan.AndroidOS.MobOk.i: It enroll the device for unwanted paied services.
    5. Trojan.AndroidOS.Subscriber.l: It is again used to sign up the user for premium paid services.
    6. Trojan.AndroidOS.Whatreg.b: This file is used to hijack WhatsApp accounts on the Victim’s phone. This malware sends all the gathered information to the remote server and register the device with the C2 servers.

What FMWhatsApp Will Do on The Victim’s Device?

This modified version of messenger, FMWhatsApp can do various malicious activities on the Victim’s device.

  1. It downloads additional malware modules on the device.
  2. Run full-screen ads.
  3. Subscribe the victims to premium services without their knowledge.
  4. Hijack victims’ WhatsApp accounts are on the device to carry out social engineering attacks and distribute spam messages.
  5. Read text messages on the device.
  6. Exfiltrate unique device identifiers like Device IDs, Subscriber IDs, MAC addresses, service provider’s name, and location.
  7. Spread malware to other devices.

How to Protect Your Device Being Hacked by FMWhatsApp?

Awareness is the key to protect your smartphone from any malware. Keep these recommendations to secure your smartphone secured from FMWhatsApp and Trojan Triada.

  1. Never download and install apps from untrusted third-party websites. Install the apps only from official stores.
  2. Don’t load your phone with multiple similar apps. Don’t install more than two messenger apps.
  3. Verify what permissions you’ve granted to installed apps and revoke the permissions if not required.
  4. Install premium antimalware programs on your smartphone and always keep its database up to date.
  5. Don’t connect your smartphone to a public, open, or unknown WiFi network.

What Can You Protect Your WhatsApp Account?

If you feel that your smartphone or WhatsApp account was hacked, Read this article to protect WhatsApp account from hackers.

  1. Report to WhatsApp support:  If you start getting multiple verification messages in a short amount of time, please report to WhatsApp support. Don’t react to those messages. This is the clear indicator that says someone is attempting to register using your phone number.
  2. Enable two-step verification: Enabling two-step verification is one of the best ways to protect. The six-digit PIN and email address are the key factors for securing your account. Using your email address to set up two-step verification helps the WhatsApp support team to identify that it was you.
  3. Set a lock on WhatsApp: When you set up a six-digit PIN, WhatsApp will ask you to enter the PIN when your account is tried to set up on another device. This will work as a shield against the attack.
  4. Export chats and delete: It is always good to export your chats data to your email or cloud storage and protect with a password as the default export option will not be encrypted. Then delete the complete chat history.
  5. Move the backups to external storage: This option is only for Android users. Android users can export the backup to external storage and delete the backup. This would protect your data from being accessed by the attacker.
  6. Install WhatsApp updates: Always upgrade your WhatsApp app without fail whenever there is a new version available. This ensured many bugs and vulnerabilities got fixed, which was exist in old versions.

Trojan Triada IOC:

MD5

Trojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de
Trojan-Downloader.AndroidOS.Agent.ic 92b5eedc73f186d5491ec3e627ecf5c0
Trojan-Downloader.AndroidOS.Gapac.e 6a39493f94d49cbaaa66227c8d6db919
Trojan-Downloader.AndroidOS.Helper.a 61718a33f89ddc1781b4f43b0643ab2f
Trojan.AndroidOS.MobOk.i fa9f9727905daec68bac37f450d139cd
Trojan.AndroidOS.Subscriber.l c3c84173a179fbd40ef9ae325a1efa15
Trojan.AndroidOS.Whatreg.b 4020a94de83b273f313468a1fc34f94d

C&C

hxxp://t1k22.c8xwor[.]com:13002/
hxxps://dgmxn.c8xwor[.]com:13001/

Thanks for reading the post. Please share this with all others and create awareness about cybersecurity.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.