Spam emails promoting a non-existent PC version of the popular WhatsApp messaging service could be leading unsuspecting users to a malicious banking Trojan.
The emails, written in Portuguese, trick the recipient into thinking they already have 11 pending friend invitations, according to Kaspersky Lab’s Dmitry Bestuzhev, who wrote about the malware today on Securelist.com.
If users click on the “Baixor Agora” (Download Now) link in the email, they’re redirected – through a hacked Turkish server – to a Hightail.com URL to download the Trojan. Hightail, like Dropbox or YouSendIt, is a service that allows cloud file storage and downloads. The downloader then downloads the banker via a server in Brazil. According to Bestuzhev, the file comes disguised as a relatively small 2.5 megabyte MP3 file, making it more likely users will open it.
Once it’s set up the malware gets to work, stealing data, and packing it up and shipping it off to the cybercriminal before downloading new malware files, up to 10 megabytes in size, to the system.
“The malware reports itself to the cybercriminals’ infections statistics console and when open, a local port 1157 sends stolen information in the Oracle DB format,” Bestuzhev wrote today.
It’s unclear if the malware has made it to U.S. shores yet but given the popularity of WhatsApp abroad – especially in Europe and Latin America – it appears to be contained to those areas, at least for now.
Bestuzhev even goes as far as to call it a “classic style of a Brazilian-created malware,” as it appears to be targeting users in Brazil, a country with an established WhatsApp userbase and the Trojan is downloaded from a Brazilian server.
The cross-platform messaging app has been massively popular as of late, boasting more than 430 million users, 30 million added in just the last month, and sending more than 50 billion messages a day. Rumors Google was going to acquire the service last spring for roughly $1 billion bubbled up but quickly deflated.
The company’s CEO and co-founder Jan Koum has previously said the company makes a point to know as little as possible about its users and that it doesn’t collect people’s personal information, just users’ phone numbers and a list of users they want to communicate with.
While that may be true, it was reported in October that if someone wanted to eavesdrop on users’ WhatsApp conversations, it could be done, “given enough effort.”
Dutch researcher Thijs Alkemade disclosed a vulnerability in the app’s crypto implementation, specifically the fact that it uses the same key for incoming and outgoing messages, that could leave messages exposed. The company balked at Alkemade’s research however, deeming it taking place in a scenario “more theoretical in nature.”
This isn’t the first spam email campaign centered around the app. Spammers also leveraged the service in November to push malware via email by tricking users into thinking they had a new voicemail, even though WhatsApp does not provide a calling feature, it is a text messaging service.