Fake WhatsApp Riskware Points to Copycatting

An Android app dubbed WhatsApp Plus has been unmasked as a variant of Android/PUP.Riskware.Wtaspin.GB, which steals information, photos, phone numbers and so on from a mobile phone. 

Fake WhatsApp riskware, usually found in third-party app stores, dates back to mid-2017. However, the newest version is notable in that its pathology indicates a copycat phenomenon occurring among malware developers.

The malware, once installed, tells users that their app is out of date and offers a download link. Once clicked, users are taken to a webpage written entirely in Arabic. The page calls the app “Watts Plus Plus WhatsApp” and purports to be developed by someone named Abu.

Looking into the code, researcher Nathan Collier at Malwarebytes found that while it has abilities to hide itself in various ways – “very spy-like behavior,” he said – it’s the same incriminating Android/PUP.Riskware.Wtaspin.GB code found within the receivers, services and activities of existing fake WhatsApp APKs.

“The only difference of the aforementioned version from above is the code points to the Arabic webpage to update,” Collier explained. “After analyzing several different versions of PUP.Riskware.Wtaspin.GB, it appears all have different URLs from which to update. Thus, everyone is just copycatting the original source code and adding their own update website.”

The original author of the riskware is unlikely to be the Arabic developer, Abu, he added.

“The code of this riskware is complex,” Collier said. “The webpage of the developer claiming to be owner – not so complex. Although I won’t completely rule out the possibility, let’s just say I am skeptical.”

To stay safe, users are given a simple prescription: Only download the real WhatsApp on Google Play.

What’s Hot on Infosecurity Magazine?