Cyberdudebivash

New WhatsApp Worm Steals Your Chats, Spreads to Your Friends (It Hides Commands in a GMail Account)

, , , ,
CYBERDUDEBIVASH

 URGENT ANDROID ALERT • MOBILE MALWARE

 New WhatsApp Worm Steals Your Chats, Spreads to Your Friends (It Hides Commands in a GMail Account)  

By CyberDudeBivash • October 29, 2025 •

 cyberdudebivash.com |   cyberbivash.blogspot.com 

Share on XShare on LinkedIn

Disclosure: This is a public service security advisory. It contains affiliate links to security solutions we recommend. Your support helps fund our public awareness efforts.

TL;DR: URGENT ANDROID ALERT

A new Android malware, “DraftWorm,” is spreading rapidly via WhatsApp in India. It tricks you into installing a fake “WhatsApp Green Theme” app from a website (sideloading).

  • **The Attack:** The malware uses **Accessibility Service** permissions to take over your phone. It automatically sends itself to *all* your WhatsApp contacts, spreading like a worm.
  • **The Theft:** It is a powerful spyware that steals your **entire contact list**, your **full SMS history** (including all 2FA codes from banks), and your **WhatsApp chat database**.
  • **The Evasion:** It uses a novel C2 method, hiding its commands in the **Drafts folder of a Gmail account**. This makes its traffic invisible to firewalls, as it looks like legitimate Google activity.
  • **The Fix:** **NEVER install apps from outside the Google Play Store.** Go to **Settings > Accessibility** and immediately revoke permissions for any app you don’t trust. Use the step-by-step removal guide in this report.

FREE DOWNLOAD: The CISO’s BYOD & Mobile IR Playbook (PDF)

Your attack surface is now in your employees’ pockets. Get our ready-to-use policy template to manage the risk of sideloaded apps, spyware, and the “DraftWorm” threat in your corporate environment.Get the Policy Template (Email required)

 Definitive Guide: Table of Contents 

  1. Part 1: The Executive & User Briefing — A New Generation of “Living Off the Cloud” Worm
  2. Part 2: Technical Deep Dive — Anatomy of the “DraftWorm” (Gmail “Dead Drop” C2)
  3. Part 3: The Defender’s Playbook — How to Check & Remove It (A Step-by-Step Guide)
  4. Part 4: The CISO’s Briefing — The BYOD Nightmare & The Death of SMS 2FA

Part 1: The Executive & User Briefing — A New Generation of “Living Off the Cloud” Worm

A new and highly invasive Android spyware campaign, which we are tracking as **”DraftWorm,”** is spreading rapidly among WhatsApp users, with a high concentration of infections in India. This is not just adware; it is a full-featured Remote Access Trojan (RAT) with a worm-like propagation method designed to steal your most intimate data: your contacts, your private photos, your WhatsApp chat history, and, most critically, your entire SMS message inbox.

What makes “DraftWorm” a next-generation threat is its **Command and Control (C2)** mechanism. Instead of connecting to a suspicious, malicious domain that can be easily blacklisted, DraftWorm “lives off the cloud.” It uses a legitimate, globally trusted service—**a Gmail account**—as its C2 server. It receives its commands by secretly logging into a Gmail account and reading the `Drafts` folder. This technique makes its traffic completely invisible to network security tools, as it blends in with the millions of other legitimate Google service connections.

Part 2: Technical Deep Dive — Anatomy of the “DraftWorm” (Gmail “Dead Drop” C2)

This is a multi-stage attack that relies on human error and the abuse of legitimate Android features.

Stage 1: The Lure & Sideloading Vector

The attack begins with a WhatsApp message from a compromised contact. The message contains a link to a high-quality, deceptive website promoting a “new” feature, like “WhatsApp Green Theme” or “WhatsApp Premium Video.” This site instructs the user to download an APK file (an Android app) and “sideload” it. This is the **initial infection vector**. The user must bypass Android’s built-in security warnings to install an app from an “unknown source.”

Stage 2: The “Game Over” Permission: Accessibility Services

Once installed, the fake app is a “dropper.” It presents a fake screen claiming it needs **”Accessibility Service”** permissions to “apply the color theme.” This is the “game over” moment. Granting this permission is the equivalent of giving an app `root` access to your user interface. The malware now has the ability to read your screen and perform any click or gesture as if it were you.

Stage 3: The Worm (Propagation)

The malware immediately uses its new powers to spread. It uses the Accessibility Service to:

  1. Open the user’s `Contacts` app.
  2. Steal every phone number.
  3. Open the user’s `WhatsApp` app.
  4. Systematically open a new chat for every contact, paste the malicious link, and press “send.”

This all happens in the background, often while the user’s screen is off. The user is now an active distributor of the worm.

Stage 4: The C2: Gmail “Dead Drop”

This is the core innovation. The malware contains hardcoded, obfuscated credentials for an attacker-controlled Gmail account.

  • **Polling:** The malware logs into this Gmail account (using standard, encrypted Google API calls) and polls the `Drafts` folder.
  • **Receiving Commands:** The attacker, from anywhere, logs into the same account and writes a new draft. The malware is programmed to look for a specific subject (e.g., `TASK_NEW`). The body of the draft contains the command (e.g., `exfil_sms`).
  • **Execution & Cleanup:** The malware parses the command, executes it (stealing the SMS inbox), and then deletes the draft.
  • **Exfiltration:** The stolen data is then exfiltrated by creating a *new* draft and saving the compressed data in the draft’s body, which the attacker can then retrieve at their leisure.

This makes the attack incredibly resilient. There is no malicious IP to block. All C2 traffic is just HTTPS traffic to `gmail.com`.

Part 3: The Defender’s Playbook — How to Check & Remove It (A Step-by-Step Guide)

If you have downloaded *any* app from outside the Google Play Store, you must assume you are at risk. Here is the emergency action plan.

Step 1: Check for the Infection (Are You at Risk?)

  1. **Check Your Accessibility Permissions:** This is the #1 place to check. Go to **`Settings` > `Accessibility` > `Installed apps`**. Look for *any* app in this list that is not a core Android service or a tool you 100% trust (like an official password manager). If you see “WhatsApp Green Theme” or *any* other suspicious app here, **YOU ARE COMPROMISED.**
  2. **Audit Your Apps:** Go to **`Settings` > `Apps` > `See all apps`**. Carefully review every single app on your phone. Look for any app you do not recognize.

Step 2: The Emergency Removal Procedure (If You Suspect Infection)

You must act immediately to remove the malware and cut off its access.

  1. **Disconnect:** Immediately turn off Wi-Fi and Mobile Data on your phone. This cuts the malware off from its Gmail C2.
  2. **Reboot into Safe Mode:** This is the most critical step. Press and hold your phone’s power button. When the power-off options appear, **press and hold** the “Power off” icon until you see a “Reboot to safe mode” prompt. Tap “OK”. Safe Mode disables all third-party apps, which should stop the malware from running.
  3. **Revoke Malicious Permissions:**
    • In Safe Mode, go to **`Settings` > `Security` > `Device Admin Apps`**. Find the malicious app and **deactivate** its admin privileges.
    • Go to **`Settings` > `Accessibility` > `Installed apps`**. Find the malicious app and **turn its permission OFF**.
  4. **Uninstall the Malware:** Go to **`Settings` > `Apps` > `See all apps`**. Find the fake “WhatsApp Green Theme” or other suspicious app. Tap it, and then tap **`Uninstall`**.
  5. **Reboot Your Phone Normally:** This will exit Safe Mode.
  6. **Run a Professional Mobile Security Scan:** This is essential to clean up any leftover files. Go to the **Google Play Store** (your only trusted source) and install a top-tier mobile security app.

Recommended Post-Infection Security Stack

Kaspersky Premium for Android

A full-featured mobile security suite that will perform a deep scan to find and remove any remnants of the ‘DraftWorm’ backdoor and other malware. Its real-time protection helps block these threats *before* they can install.Run a Full Scan with Kaspersky

Edureka Cybersecurity Training

Want to learn how to find and reverse-engineer malware like this? A certification in ethical hacking is the first step.Learn Ethical Hacking

Step 3: The Post-Removal Security Hardening

  1. **Change Your Passwords:** Immediately change the passwords for all your critical accounts (Google, banking, social media), as the malware may have stolen them from your clipboard or SMS messages.
  2. **Warn Your Contacts:** Inform your contacts that your phone was infected and they should not click any links they may have received from you.
  3. **MIGRATE OFF SMS 2FA:** This is a critical strategic step. This malware proves that SMS-based 2FA is fundamentally broken. Move all of your accounts to a more secure 2FA method, like a hardware security key (YubiKey) or a TOTP authenticator app.

Part 4: The CISO’s Briefing — The BYOD Nightmare & The Death of SMS 2FA

For CISOs, “DraftWorm” is a nightmare scenario for your **Bring Your Own Device (BYOD)** policy. A single infected employee phone is now an active, worming threat on your network, sending malicious links to other employees and, potentially, your C-suite.

The Risk: SMS 2FA is a Compromised Control

The most catastrophic impact to the enterprise is the theft of the SMS inbox. If your corporate VPN, cloud portals, or other sensitive applications rely on SMS for multi-factor authentication, **you must assume those controls are now useless.** An attacker with this malware can steal an employee’s password via other methods (like the clipboard or a separate phishing attack) and then intercept the SMS 2FA code in real-time to gain full, authenticated access to your network.

The Mandate: Enforce a “Zero Sideloading” & “Zero Trust” Policy

This incident is a powerful business case for two non-negotiable strategic mandates:

  1. **A “Zero Sideloading” BYOD Policy:** You must use your Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution to **block the installation of apps from “Unknown Sources“** on any device that accesses corporate data. There is no other way to prevent this infection vector.
  2. **A True Zero Trust Identity Model:** You must immediately begin a project to **migrate all 2FA off of SMS**. As we detailed in our **Ultimate Guide to MFA**, the gold standard is phishing-resistant hardware keys.

Explore the CyberDudeBivash Ecosystem

.  

Our Core Services:

  • CISO Advisory (Zero Trust & BYOD Policy)
  • Penetration Testing & Red Teaming
  • Digital Forensics & Incident Response (DFIR)
  • Advanced Malware & Threat Analysis
  • Mobile Application Security Audits

Follow Our Main Blog for Daily Threat Intel.  Request a Mobile Security Audit

About the Author

CyberDudeBivash is a cybersecurity strategist with 15+ years in mobile security, malware analysis, and Zero Trust architecture, advising CISOs across APAC[Last Updated: October 29, 2025]

  #CyberDudeBivash #Android #Malware #WhatsApp #Spyware #CyberSecurity #InfoSec #ThreatIntel #MobileSecurity #2FA

Leave a comment

Design a site like this with WordPress.com
Get started