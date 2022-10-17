Kaspersky researchers discovered a new malicious version of a popular WhatsApp messenger mod dubbed YoWhatsApp.

Popular for having features that the official app does not offer, this mod spreads the notorious Triada mobile Trojan, which can download other Trojans, issue paid subscriptions, and even steal WhatsApp accounts.

Users around the world were affected by this threat in the last two months, and more than a quarter of them, 27% from the META (Middle East, Turkey, Africa) region. Within the META region, 27% of users affected were from African countries.

This new malicious mod is advertised in the popular Snaptube app and is also distributed via Vidmate. This makes the mod look much less suspicious to potential targets and expands the possible number of victims.

WhatsApp is one of the most popular messengers, used by millions of users worldwide, but not all of them are satisfied with the features offered by the legitimate application. Thus, some users prefer to download WhatsApp mods that provide far more options, such as custom backgrounds and fonts for chats, bulk messaging, or password-protected login to certain conversations.

However, such mods are not always secure. Previously, Kaspersky had already discovered another modification of WhatsApp, which also spreads the dangerous Triada mobile Trojan. And now, researchers have witnessed that fraudsters continue to take advantage of the popularity of the globally recognised messenger by creating new malicious modifications, such as some versions of so-called YoWhatsApp.

To infect as many users as possible, cybercriminals have resorted to a new distribution scheme. They now advertise the malicious YoWhatsApp mod in the popular Android app Snaptube, which is used to download videos from YouTube, Facebook, and Instagram.

Since YoWhatsApp is being advertised in the Snaptube app used by hundreds of thousands of users around the world, many of them are not even aware that this modification could be dangerous. Most likely, even Snaptube’s developers were not aware that the attackers have decided to take advantage of legitimate advertisement mechanism in their app.