Cyber-criminals are always trying to attract people’s attention in order to carry out their crimes. So it should be no surprise that they have now found a combined way of using Facebook (the world’s largest social network), WhatsApp (the leading text messaging program for smartphones, recently bought by Facebook) and Android (the most popular operating system for mobile devices) to defraud users.

The group behind this attack uses advertising on Facebook to entice victims and trick them into installing their apps. When you access Facebook from your Android mobile device, you will see a ‘suggested post’ (Facebook’s subtle euphemism for an advertisement) advertising tools for WhatsApp:



As you can see, not only do they use the most popular platforms to attract users, they also appeal to the curiosity of users by offering the chance to spy on their contacts’ conversations. You can see how successful this is by looking at the number of ‘Likes’ and comments it has. Yet this is not the only lure they’ve used. Below you can see another suggested post promising an app that lets you hide your WhatsApp status:



Facebook offers targeted advertising for advertisers, i.e. you can specify which type of users you want to see your ads, where they appear (e.g. in the right-hand column), as suggested posts, etc. In this case it seems that the ad is only shown to Spanish Facebook users who are accessing the social network from an Android mobile device, because these are the types of victims that the cyber-crooks behind this scam are after. In fact you can see this here, as the screenshots are taken from a Spanish Facebook account through an Android mobile device. We also tried using the same account but from a PC, an iPad and an iPhone and in none of these cases were the ads displayed.

If you click on the image you can see here in any of the ads that we’ve shown, you’ll be redirected here:



As any Android user can tell, this is Google Play, specifically, a page for an app. It has the option to install it, and shows over one million downloads and a 3.5-star rating by users (out of 5). If you go down the screen you can see numerous positive comments, and the votes of over 35,000 users who have rated it:



However, a suspicious eye can see that not all the numbers add up:

– The app has a score of 4.5, yet the number of stars is 3.5


– You can see that the score is calculated on the basis of the votes from 35,239 users. Yet if you add up the number of votes that appear on the right, the total is 44,060 votes:


So how can this be happening in Google Play? As some of you may have guessed, this is happening because it is not Google Play. It is really a Web page designed to look like the Play Store, so users think they are in a trusted site. The browser address bar, as you can see in the screenshots here, is hidden at all times. If you click on the ‘Install’ button, a file called “whatsapp.apk” is downloaded.

When it runs, this app displays the following screen:



Look carefully, and at the bottom of the screen below the ‘Continue’ button, there is a barely legible text which, if we zoom in a bit, you can see reads as follows:


In English:

Cost per SMS received €1.45

The use of this application is subject to the following terms and conditions: On subscribing to the service you will have access to periodically updated content and multimedia content for your phone. The service provider is MICAMOSA MON DE SERVEI. SLU. Tel 900844456. Cost of the subscription service €1.45 per minute. Subscription to 797025. UNSUBSCRIBE to 797025 to unsubscribe.

As with a case that we reported some days ago, it lists a series of conditions regarding subscription to a premium-rate SMS service. Yet by clicking ‘Continue’ the only (visible) thing that happens is that a Web page opens which does indeed contain tips about WhatsApp, although none of these are the kind of things advertised originally (where they claimed you could spy on contacts’ WhatsApp messages).

The danger however, lies in what you don’t see. First, it goes through the list of registered user accounts searching for the WhatsApp account in order to get the corresponding phone number. If WhatsApp is not installed or it fails to get the phone number, it uses an API to access system services in order to get this information.

It then randomly selects one of the following numbers:




It does this to select which of these three premium SMS services it will subscribe the user to. The text of the service terms and conditions (the illegible text that appears when you open the application and you can see the ‘Continue’ button) will depend on the specific service selected. In this text (depending on the number selected) you can see the names of these two companies:



It then installs an SMS receiver to manage inbound text messages. What is interesting is the technique used to prevent users from realizing they have received text messages from any of the three numbers mentioned above. If everything goes fine this SMS receiver will abort the communication process and the user will never see those SMS, but if something goes wrong it uses a witty technique to try going unnoticed: it turns on the device’s silent mode for a couple of seconds, so the user won’t listen the notification sound and then it mark the message in the inbox as read.

Although this SMS receiver has a higher priority than the operating system message controller, we have been running some tests and it looks like in the most recent Android version (4.4) it can’t take control and filter the incoming SMS, and it is in this moment when this plan B takes place. In previous Android versions this trick is not needed as it can block these SMS and delete them before they are shown in the device.

The app has an SMS counter, so when the first message arrives from the premium-rate SMS service, it reads it to obtain the necessary PIN number, and registers on the corresponding website to activate the premium-rate service.Another interesting thing we’ve come across is that it hides messages from the number 22365. It turns out that Orange sends a warning SMS to users who have activated this kind of premium services, and that SMS comes from the number 22365. The Trojan deletes this message so the user won’t know he has been subscribed to this premium service.

Going back to the ‘visible’ part of the app, after clicking ‘Continue’ you will see some supposed ‘tricks’ for WhatsAp:


As you can see in the complete list, there is absolutely nothing special about these, and they can’t reasonably be referred to as ‘tricks’:

  • How to tell if you’ve been blocked
  • How to block a contact
  • Change your status
  • Send much more than just messages
  • Change your profile image
  • Create shortcuts to chats
  • Use Enter to send messages
  • Make a backup of your chats
  • Save the pictures you’ve been sent
  • Change the chat background
  • Send someone the chat history

In fact all these ‘tricks’ are readily available from the page that hosts the apps and without having to subscribe to a premium-rate service. If you go to the main website, you can see that they are not only using WhatsApp as bait, but also any popular app or topic:


And the way they operate is identical. It takes you to an imitation of Google Play, where you can download the corresponding app, and which has the same hidden functions as described above:


If you look closely, you can see that they reuse some of the data from the first case we described (rating, downloads, and the number of votes) but the comments are customized in each case:


Finally, we want to remind users of Panda Mobile Security that the ‘Privacy Auditor’ feature can be used to check whether these apps are classified under the category ‘Cost money’ and if so they can be deleted from there. We also remind you that this does not mean that all apps that are in this category are malicious: any app with sufficient permissions to operate in the way we have described will be in this category. If you see an app you’ve installed and which shouldn’t have these permissions, delete it immediately.