This WhatsApp Android knock-off is hijacking user accounts

Multiple WhatsApp knockoff applications have been discovered stealing the legitimate WhatsApp user access keys, researchers have found. 

With these keys, the apps’ authors can run all kinds of malicious campaigns, including one where the victims lose their hard-earned money.

Cybersecurity researchers from Kaspersky recently discovered two messaging apps for Android, obviously targeting WhatsApp users. One is called YoWhatsApp, and the other WhatsApp Plus. Both these apps offer pretty much the same functionalities as the actual WhatsApp app, and then some. As per the report, YoWhatsApp apparently also comes with a customizable interface, and individual chat room blocks.

Stealing access keys

What users don’t see, however, is these apps stealing legitimate WhatsApp’s access keys and sending them to the knockoff’s authors, giving the attackers access to the victims’ user accounts. 

According to Kaspersky, the keys can be used in open-source utilities and allow attackers to perform various actions without the user’s consent. Besides actions, the attackers can also eavesdrop on the conversations, steal identity data, and similar.

The researchers also said the attackers could use this access to subscribe the victims to premium services, charging them in the process and generating income.

The apps were being advertised via a couple of legitimate Android apps, and Kaspersky suspects the developers did not know they were being used to advertise malware. The authors have since been notified, and Kaspersky expects these distribution channels to be closed soon. Still, users that downloaded these apps will be at risk for as long as the apps are installed on their endpoints.

Popular Android apps have many knock-offs, and while not all of them are malicious, it would be best to just stay away from them, researchers suggest. These kinds of apps are rarely found on Google’s official app repository, the Play Store, and can rather be downloaded as an .APK, from third-party sources. That, alone, should be enough of a red flag, they say.

Via: BleepingComputer

Go to Source