Last year, Kaspersky researchers wrote about the Triada Trojan inside FMWhatsApp, a modified WhatsApp build. At that time, they discovered that a dropper was found inside the distribution, along with an advertising SDK. This year, the situation has repeated, but with a different modified build, YoWhatsApp version 184.108.40.206. Inside it, researchers have found a malicious module that they detect as Trojan.AndroidOS.Triada.eq.
The module decrypted and launched the Trojan.AndroidOS.Triada.ef main payload.
In addition, the malicious module stole various keys required for legitimate WhatsApp to work. Kaspersky assume that to resolve this problem, the cybercriminals had to figure out all the intricacies of the messenger before writing the new version.