The popular messaging application WhatsApp recently made headlines when it was acquired by Facebook for a staggering $16 billion. Cybercriminals didn’t waste much time to capitalize on this bit of news: barely a week after the official announcement, we saw a spam attack that claims that a desktop version of the popular mobile app is now being tested.
Figure 1. Screenshot of spammed message
Our engineers found a spam sample that mentions Facebook’s purchase of WhatsApp, and also says that a version of WhatsApp is now available for users on Windows and Mac PCs. The message also provides a download link to this version, which is detected as TROJ_BANLOAD.YZV, which is commonly used to download banking malware. (This behavior is the same, whether on PCs or mobile devices.)
That is the case here; TSPY_BANKER.YZV is downloaded onto the system. This BANKER variant retrieves user names and passwords stored in the system, which poses a security risk for online accounts accessed on the affected system. The use of BANKER malware, coupled with a Portuguese message, indicates that the intended targets are users in Brazil. Feedback from the Smart Protection Network indicates that more than 80 percent of users who have accessed the malicious site do come from Brazil.
Although the volume of this spam run is relatively low, it is currently increasing. One of our spam sources reported that samples of this run accounted for up to 3% of all mail seen by that particular source, which indicates a potential spam outbreak.
We strongly advise users to be careful of this or similar messages; WhatsApp does not currently have a Windows or Mac client, so all messages that claim one exists can be considered scams. Trend Micro protects users from this spam attack via detecting the malicious file and spam, as well as blocking the related web site.
With additional analysis from Sabrina Sioting.