Unofficial WhatsApp Android app Stealing User’s Accounts

WhatsApp Mobile Networks and Telephones
Advisory ID:
October 28, 2022


A Triada Trojan was discovered in a version of the YoWhatsApp app (version that was being distributed. YoWhatsApp is an unofficial modification of the world's most popular messenger app, WhatsApp, and its popularity stems from the additional features it offers, such as a customisable interface and chat blocking. Triada is a mobile Trojan that actively uses root privileges to replace system files and employs several clever techniques to remain almost invisible.

Description & Consequence

This malicious Android app is not sanctioned or affiliated in any way with WhatsApp or its parent company, Meta, and is primarily distributed through clickable ads on the popular Android app Snaptube.

Following installation, it will request the same permissions as the legitimate WhatsApp app, as well as decrypt and launch the Triada Trojan payload alongside the main app. Once downloaded and installed, the Triada Trojan attempts to gather information about the device or system, such as the device model, OS version, amount of SD card space, list of installed applications, and so on. The information is then sent to the Command & Control server. The Trojan will then steal a variety of keys that are integral to the functioning of WhatsApp and send them to a remote server. These keys, when used in conjunction with certain open-source utilities, permit the use of a WhatsApp account without the need for an application.

A direct clone of YoWhatsApp titled ‘WhatsApp Plus’ is also being distributed through the internal store of popular Youtube download app ‘Vidmate’.

Theft of user keys may lead to the following:

  1. Account takeover
  2. Impersonation
  3. Disclosure of private chats
  4. Registration of user to paid subscriptions without user’s knowledge


Those who are in the habit of using unofficial, modified apps are advised to stop, and only use the official WhatsApp application. Furthermore, only downloads apps from official sources such as the Google Play Store or App Store.



Related Articles