Malicious WhatsApp Mods

A recurring attack vector where modified WhatsApp clients (FMWhatsApp, YoWhatsApp, CanesSpy) are trojanized with malware payloads, primarily the Triada trojan. These mods offer features unavailable in official WhatsApp (custom themes, read receipt hiding, message scheduling) but bundle malicious ad modules that download additional malware, steal WhatsApp authentication keys, and subscribe victims to premium services.

Overview

Property	Value
First Seen	Ongoing (documented campaigns 2021-2023)
Type	Trojanized messaging app modifications
Attribution	Various (mod developers compromised by or colluding with malware operators)

Major Campaigns

FMWhatsApp (2021)

Version 16.80.0 contained a third-party ad module that included Triada (Trojan.AndroidOS.Triada.ef). Downloaded additional malware: display ads, subscribe to paid services, intercept SMS. Documented by Securelist.

YoWhatsApp (2022)

Version 2.22.11.75 contained Triada (Trojan.AndroidOS.Triada.eq). Distributed through ads in Snaptube and Vidmate's internal app store. Stole WhatsApp authentication keys to hijack accounts. Malicious module removed after Kaspersky contacted the developers (November 2022). Documented by Securelist.

CanesSpy (2023)

WhatsApp spy mod proliferating within Telegram channels. 340,000+ attacks in October 2023 alone. Targeted Arabic and Azeri-speaking users. Kaspersky detection: Trojan-Spy.AndroidOS.CanesSpy. Documented by Kaspersky.

Common Pattern

All three campaigns follow the same pattern:

1. Popular WhatsApp mod attracts large user base with extra features
2. Malicious ad SDK or spy module is injected into a mod update
3. Users install the update through third-party sources (no Play Store review)
4. Malware component activates: data theft, subscription fraud, or account hijacking

References

• Securelist: Triada Trojan in WhatsApp mod (2021)
• Securelist: Malicious WhatsApp mod distributed through legitimate apps (2022)
• Kaspersky: WhatsApp spyware modifications in Telegram