Home Cyber Attack Watch Out For This Wormable Malware Spreading Via WhatsApp

Watch Out For This Wormable Malware Spreading Via WhatsApp

by Abeerah Hashim
DarkGate malware spreads via skype

Heads up WhatsApp users! A new wormable malware campaign is in the wild that targets WhatsApp users. The malware spreads via WhatsApp supposedly to expand an adware campaign.

Malware Spreading Via WhatsApp

Security researcher Lukas Stefanko has elaborated on a new malware campaign targeting WhatsApp users.

The campaign first caught the attention of another Android security researcher with alias ReBensk who disclosed it via a tweet.

Later, Stefanko analyzed the malware and shared details via a blog post.

Briefly, the campaign targets WhatsApp users with wormable malware. Upon targeting a device, the malware then self-propagates as soon as the victim replies to anyone in WhatsApp conversations. The target would receive a message apparently from the victim user that would include a link to some Play Store app.

Tapping on the link then redirects the new target to a page that poses as a Huawei app page and mimics Google Play Store design. However, the phishing page doesn’t really belong to the Play Store.

If the target user installs the app, the malicious app then asks for permission to access device notifications. Also, it asks for permissions to continue running in the background and “draw over other apps”.

Once established, the malware then seeks messages from its C2 server every hour. The text of the message changes dynamically, but the link is always present. The spammy message then reaches other target users upon replying to a WhatsApp message notification.

The following video explains the attack scenario.

What Next?

As per Stefanko’s analysis, the malware written in Java is currently in the wild. While, for now, it appears that the malware would serve as an adware. However, it might upgrade itself in the future to become a more malicious trojan.

You may also like

1 comment

talha January 27, 2021 - 3:59 pm

App asking too many permission, is already hint that something fishy is going on, also its good practice to read the url before doing anything………

Comments are closed.