Mobile Menace Monday: Fake WhatsApp can steal info from your phone

Credit to Author: Nathan Collier| Date: Mon, 02 Apr 2018 17:00:00 +0000

Last month, a blogger at My Online Security reported receiving a spam comment containing WhatsApp Plus. Going through the process, they downloaded an APK of this so-called WhatsApp Plus. Where they ended was as stated,

I am not certain exactly what this does, but from the sandbox reports it looks like it has the potential to steal information, photos, phone numbers etc from your mobile phone.  

Indeed, they are correct, as this is a variant of Android/PUP.Riskware.Wtaspin.GB, a Fake WhatsApp riskware that dates back to mid-2017.  But what makes this variant unique is where it leads us.

Whats in a Fake WhatsApp?

As our dear My Online Security blogger did, I too went through the process and downloaded/installed the APK aforementioned in the linked blog. Upon opening the app is the following greeting:

Of special interest is the gold logo in the middle with a URL and handle. Onward, I clicked on AGREE AND CONTINUE to find, oh no, I was out of date!

The message states, Please go to Google Play Store to download latest version — nah, I’d rather click the DOWNLOAD button. Where I was redirected was intriguing.

Into another realm of Fake WhatsApp

Where I landed was on the above URL from the shiny gold logo. Everything on the webpage is written in Arabic.

Here I was on the official website to download Watts Plus Plus WhatsApp—that unusual name could very well be an awkward Google translate, by the way.  Among numerous ads (a developer needs to make some ad revenue after all) was text explaining this developer’s WhatsApp version. Below is the (very) rough translation, with minor condensing to the most pertinent information:

What is Watts Plus Plus Whatsapp Plus?

Is a copy of WattsPlus developed by Abu, there may be no confidence in some users in the download of Whatsapp Plus, but this version has been checked files Wats through special programs and the result is positive is safe , and the version of Watts Plus is updated Abu periodically for the  last issue is a special version of the fans of Watts AP Plus:

Secure:  The antivirus software code has been checked, the Watsp files are encrypted in the Watspec servers and cannot be decrypted and can only be decrypted by Wattsp itself.

Updated to the latest version:  Watts August the company issued almost every two days a simple update, and is almost updated copies of our own every two months periodically until the copies contain only critical updates.

Four numbers in the same phone: In this version you can run up to four numbers in the same phone without a routine or any difficulty

Features

Hide the last appearance of friends completely with the property of hiding the reading and reception, and the disappearance of the current writing and running and hide that you have played a clip and your voice. And hide that you watched the case of your friend (Alasturi).

The possibility of changing the program line completely to many of the ready lines

Provides the security feature of the application by placing a secret number cannot open the application without it.

Provides security for conversations by placing a secret number cannot open the conversation without him.

You can send more than 100 photos at once to your friends.

And many other features

Hide what you saw the situation:  You can in the latest version of WhatsApp + WhatsApp Plus WhatSapp Plus AbuSamad AlRifa’i Hide that you watched the status of friends from privacy options from the top menu.

What is the best feature in WhatsApp Plus WhatsApp Plus What isApp Plus Abu Sadam Rifai  If we activate this option, no one will be able to see you online forever and will not show the date of your last appearance and no one will know you are online even while you are on the wattage .

Hide the second health:  The sender of the messages will not be able to tell you that you received the message.

Hides the blue ones:  The sender cannot tell you that you read the message but in return you know that he has read the messages and only shows you the blue ones.

Hide the current writing:  You can also in the new version and the latest version of WhatsApp + WhatsApp Plus whatsapp plus Abu Saddam Al – Rifai  hide hiding or typing on the other end of the conversation.

Hides recording:  When recording a track.

Hide playback signal:  ie, the sender cannot tell you have listened to the audio track.

Two-way operation:  You can run two versions of Wattsp on one device without a router by downloading Watts 1 and Watts 2.

See the status of people without entering the conversation:  You can see the status of people connected or last seen from the main screen of the program.

What stood out to me was all the abilities to hide oneself in various ways—very spy-like behavior.

Onward to the next version

Sifting through all the ads stating they were the download button, I finally came across the true download link. After updating, I once again came to the same screen shown above with the gold logo. This time, after pressing the AGREE AND CONTINUE button, the next screen asked to verify a phone number.

After doing so, a changelog appeared with fixes to the app’s hiding features.

Click to view slideshow.

Clicking OK to the changelog, what appears to be a functioning version of WhatsApp opens.

Click to view slideshow.

WhatsCode…ur…what’s in the code

The incriminating code of Android/PUP.Riskware.Wtaspin.GB is within receivers, services, and activities starting with com.gb.atnfas. This code is in various fake WhatsApp APKs. The only difference of the aforementioned version from above is the code points to the Arabic webpage to update.

After analyzing several different versions of PUP.Riskware.Wtaspin.GB, it appears all have different URLs from which to update. Thus, everyone is just copy catting the original source code and adding their own “update” website. So, who is the original author of this riskware? Is the Arabic developer, Abu, the originating author?

The code of this riskware is complex. The webpage of the developer claiming to be owner—not so complex. Although I won’t completely rule out the possibility, let’s just say I am skeptical.

No matter the true author or origin of this fake Whatsapp, I suggest sticking with the real WhatsApp on Google Play. Although Google Play has its faults, it’s tremendously safer than some of the sources I came across researching this riskware. Stay safe out there!

The post Mobile Menace Monday: Fake WhatsApp can steal info from your phone appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/