OFFICIAL SECURITY BLOG
January 23, 2014 | BY Armando Orozco
WhatsApp is one of the most popular mobile apps today and is frequently targeted by malware, hackers and copycats. So it’s no surprise we’d find a rogue website offering a way to download it.
This particular site, aimed at Russian speakers, serves up a premium-rate SMS Trojan, SMS fees for access to install what hopefully is the WhatsApp app.
While this type of Trojan and method of delivery are not new, they must continue to be a good source of revenue for malware distributors.
In our efforts to keep on top of SMS Trojans, we came across this site and thought we’d show an example of how this scam is performed.
The vast majority of Android malware are SMS Trojans and they rely on social engineering–like this rogue site–to get as many installs as possible.
The site is pretty basic and scrapes some of the content from the legitimate WhatsApp website. It offers a description of WhatsApp, comments section, and download page. They offer versions for iOS, Android, Nokia, Windows Phone, and Blackberry.
The Trojan itself has been around for a while, but the malware authors are serving up polymorphic files–which change with each visit. The changes involve strings like the package name and java classes. The overall code and data flow remains the same. This tactic isn’t necessarily aimed at the user, but to avoid detection by AV vendors.
Most of you reading this would not encounter this site or similar ones, but this is an example of why it’s important to stick to trusted sources for your mobile apps. A trusted application name doesn’t always mean a trusted source.
We are working on getting this site and others like it shutdown.
Malwarebytes Anti-Malware Mobile detects as Android/Trojan.SMS.FakeInst.