1.0 Introduction

Recently, MyCERT has been aware of an malware campaign targeting Android users using messages that are being circulated on WhatsApp and other major messaging platforms that promise to provide a new color theme for WhatsApp. 

Disguised as an official update for the chat app, the “WhatsApp Pink” theme is in reality a variant of a wormable malware that spreads through WhatsApp and lures the prospective victims into downloading an app from a website masquerading as Google Play.

WhatsApp Pink is an updated version of the WhatsApp auto-reply worm that surfaced in January 2021. It seems to have been first spotted in India, where it was shared in various massive chat groups on popular instant messaging services. The Trojan’s updated version doesn’t auto-reply just to WhatsApp messages, but also to messages received on other instant messaging apps, which could be the reason for its apparent wider spread.

Figure 1: Screenshot from WhatsApp message stating “New Pink Look Whatsapp Officially Launched with Extra Features Must try this. hxxp[://lookpink.xyz/?whatsapp”. Upon clicking the link, WhatsappPink.apk is downloaded.

2.0 Impact
The malware Trojan identified by ESET products as Android/Spams.V automatically replies to messages received in apps such as WhatsApp, WhatsApp Business, Signal, Skype, Viber, Telegram, and one of the various unofficial, third-party versions of WhatsApp, with a link to a website from which it, the Trojan, can be downloaded.

In general, below are some possible impacts of installing unofficial applications in your devices:

  • Misuse of contact numbers and pictures saved in mobile
  • Financial loss
  • Misuse of your credentials
  • Lose control over your mobile
  • Spam messages

3.0 Affected System and Devices
Android mobile devices.

4.0 Technical Details
Installing the downloaded APK didn’t show any visible suspicious behaviour, but analysing the app statically showed that the app looks for notifications from a predefined list of applications, including Viber, Telegram, WhatsApp, Skype etc., and auto responds to the sender with the reply “New Pink Look Whatsapp Officially Launched with Extra Features Must try this. hxxp[://lookpink.xyz/?whatsapp” for them to download the app, spreading like a worm. Unfortunately the link in the message was down at the time of writing this alert.

The predefined list of chat apps is as shown in Figure 2. 

Figure 2: Apps list hardcoded in the fake app

Chat apps in the list are: 

  • com.viber.voip
  • com.skype.raider
  • com.skype.insiders
  • org.thoughtcrime.securesms
  • com.whatsapp.w4b
  • com.whatsapp
  • org.telegram.messenger
  • com.gbwhatsapp
  • com.whatsapp.plus
  • com.og.whatsapp
  • com.yowhatsapp
  • com.retro.whatsweb
  • com.FmWhatsApp

Also the app confirms if it has the permission to listen to the notifications by either verifying if it is listed under “enabled_notification_listeners” or by requesting for the permission as shown in Figure 3 and Figure 4. 

Figure 3: Verification of notification listener permission

Figure 4: Request for notification listener permission

Once the service is listed under notification listeners, the service starts and keeps monitoring for any posted notification. If any notification is posted, this app verifies if the notification is meant for any of the apps in the predefined list. If yes, it collects the phone number as shown in Figure 5. 

Figure 5: Collecting the phone number from notifications

After which it auto responds to the phone number using sendReply as shown in Figure 6. 

Figure 6: Sending auto reply to the notifications

Random_Message is the string variable that carries the message and the link to download malicious Whatsapp app.

Also, we noted that the malware author has not suppressed notifications or messages from those chat apps. Instead the spam message auto sent via notifications is visible to the user in the chat message screen of the sender. This suggests that the app could still be under the development stage or just a start of an attack as the app just auto replies to the notifications and no other malicious activities have been identified at the time of writing this blog. 

This attack may not sound new, however, users are falling prey to such attacks because of curiosity and eagerness to be trendy at the earliest. 

5.0 Indicators Of Compromise (IOCs)

File NameHashK7 Detection Name
WhatsappPInk.apk9a902d186c948e72af6b269862c27055Trojan ( 0057b1c11 )
WhatsappPInk.apke1870d613d54239e8fb5f09b6a4e880dTrojan ( 0057b20e1 )
WhatsappPInk.apk90cfcde60b6cd57a2e9b2047cff51fb7Trojan ( 0057b20e1 )






6.0 Recommendations
If you downloaded “WhatsApp Pink” you can either remove it through Settings and the App Manager submenu or install a full-featured Android security solution that will scan your device and remove it automatically.

By way of prevention, there are several steps you can take to mitigate the chances of falling victim to similar schemes in the future:

  • Never click on links or attachments that you received via an unsolicited message or from someone you don’t know
  • Only download apps from official app stores, since they have rigorous approval processes in place
  • Always use a reputable mobile security solution
  • Be wary of what kinds of permissions you grant to applications

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

7.0    References