Trojan detected in WhatsApp extension

Bad news for users of WhatsApp who run the messenger with additional apps. A Trojan has now been found in one of them.

They are called “WhatsApp Plus”, “GBWhatsApp” and “FMWhatsapp” – extensions for the popular messenger. With these, users can unlock additional features. atechbook has already advised against these apps in the past. On the one hand, they are not available in the Apple App Store, nor in Google’s PlayStore, but must be downloaded directly from the network to the smartphone. Secondly, WhatsApp recently announced that it will block users who have “WhatsApp Plus” or “GBWhatsApp” linked to their official account.

But that is apparently not all. Because there is another problem with the WhatsApp extension “FMWhatsApp”. The security experts from “Securelist by Kaspersky” have found a Trojan in it!

Trojan can be expensive for users

According to Kaspersky, the code hides the so-called “Triada” Trojan, which can have different consequences for users of the WhatsApp extension “FMWhatsApp”. The Trojan with the file name “Trojan.AndroidOS.Triada.ef” proceeds as follows. As soon as the app is launched, the Trojan sends the smartphone’s device number, user ID and MAC address to a server, which then automatically registers the smartphone.

A link to a malicious file then comes back. The respective user does not have to click on it himself – he does not even see it. The Triada Trojan does that on its own. It downloads the file, decrypts it and starts it. Kaspersky has found no less than six possible malware programs that can land on one’s smartphone in this way:

  1. Trojan-Downloader.AndroidOS.Agent.ic
  2. Trojan-Downloader.AndroidOS.Gapac.e
  3. Trojan-Downloader.AndroidOS.Helper.a
  4. Trojan.AndroidOS.MobOk.i
  5. Trojan.AndroidOS.Subscriber.l
  6. Trojan.AndroidOS.Whatreg.b

These have different effects on the infected smartphone:

  1. Automatically downloads and executes additional malware
  2. Automatically downloads and executes additional malware. Displays advertisements in full-screen.
  3. Downloads a malware called “xHelper” and lets invisible advertisements play in the background. “xHelper” in turn downloads other malware itself.
  4. Registers the smartphone or account for paid subscriptions
  5. Registers the smartphone or account for paid subscriptions
  6. Logs into third-party WhatsApp accounts via the infected smartphone

While all six consequences are undesirable, subscribing to paid services is probably the first to catch your eye. So keep an eye on your subscriptions and uninstall the app quickly.

It is best to avoid WhatsApp extensions

atechbook recommends avoiding such extensions. Even if the promised and partly delivered functions are tempting, it is not worth getting blocked from Messenger or catching a Trojan for them. In general, you should not download apps that are not available in the official app stores. This is because they lack malware checks.


  • Kaspersky