Mobile phone malware can be a big problem for many users. As a general rule to be safer, you should only install an app directly from Google play store or from legitimate sites like your Bank, PayPal or similar known very safe sites for their app. In my opinion you can never be completely safe with installing Android apps.
This one all started when some clueless idiot decided to post a spam comment on this blog spamming a link to an “improved or better” version of WhatsApp. An App called WhatsApp Plus.
That is always a big red flag and alerts to the possibility ( probability) of malware.
The comment looked like this before I hit the spam button
This is the clueless spammers details
I have WordPress set to notify me of all comments as soon as they are posted ( I think that is the default setting, but if it isn’t then all WordPress admins should enable it to help cut down on spam on their blog comments )
OK now lets get to the malware itself
The link in the comment went to http://www.googietricks.com/whatsapp-plus-download-2/ where following the download button sends you to http://www.mediafire.com/file/8e4nefcj69pjlfl/WaPlus-V6.00%28latestmodapks.com%29.apk
The domain googietricks.com Was registered in September 2017 and is registered and hosted by Godaddy on IP 220.127.116.11. I have no idea how much content on the site is good or useful, but it has annoying pop ups on every action trying to get you to “facebook like” the site.
You end up with a file that is detected on VirusTotal as malware. Most Anti-viruses don’t routinely detect Android malware on VirusTotal. In fact the majority of AV in my experience only detect Android malware using the android or mobile version of their AV, not by the desktop version which is generally tuned to windows malware.
There are not a lot of Android APK analysers available for public use. I have quickly run this file through 2 Online sandboxes that I use that do analyse Android files ( to some degree) Hybrid Analysis | Joe Sandbox | NVISO APK Scanner | One of the big problems of analysing Android APKs on a sandbox is that a lot of Android apps only work on certain Android versions. Some work on older Android versions and won’t work properly on newer versions. Some only work on the latest Android OS. If you don’t correctly set the sandbox to use the specific required or acceptable version, you get unpredictable results.
I am not certain exactly what this does, but from the sandbox reports it looks like it has the potential to steal information, photos, phone numbers etc from your mobile phone.