Fouad WhatsApp, scraping through innovation

On the 11th of July, the head of WhatsApp, Will Cathcart, tweeted a thread about fake or modified versions of the most widespread instant messaging application. “Reminder to users that downloading a fake or modified version of WhatsApp is never a good idea. These apps sound harmless but may work around WhatsApp privacy and security guarantees”.

These “cloned” versions offer extra functionalities, are easy to set on a smartphone, and run like the original app. Yet, the WhatsApp official website warns that they are “unsupported” as they are suspected of “harvesting information in unacceptable ways, also known as scraping“. Your official Whatsapp account will be banned if you are detected using one.

Among the modified versions (“mod”) is Fouad WhatsApp (also known as “Fouad mod“). The creators recently divulged a release of it, which promises a new feature: the “Anti-Ban“. It allegedly avoids any interdictions to the user. This innovation is another step in the constant run-up to capture more customers. But what’s behind the anti-ban?

Fouad WhatsApp, a cyber investigation

The official WhatsApp and the mods

WhatsApp is among the most popular social networks globally, counting around 2B users (according to the website statista.com). Furthermore, the application has also generated a cascade effect, opening the doors to many copycats or mods.

WhatsApp’s official website defines “WhatsApp Plus, GB WhatsApp, or apps that claim to move your WhatsApp chats between phones” as altered versions. “These unofficial apps are developed by third parties and violate our Terms of Service”, the company clarifies. “WhatsApp doesn’t support these third-party apps because we can’t validate their security practices”.

The mods are reportedly engaged in “the extraction of information [phone numbers, profile pictures or statuses], both targeted and at scale, using an automated or manual tool for any unpermitted purposes”.

It is a big deal for a company now proud of assuring privacy in communications through end-to-end encryption. Only the chatting users can read the messages, preventing outsiders (including the same platform) from accessing the shared content.

The official WhatsApp suggests the mods don’t use encryption and, in some cases, have even scraping as a purpose. Is it true?

Mods, how they are built

Building a mod is not easy, as Whatsapp is not open-source. It is free, and you can use it without paying. Still, its source code is unavailable online: external people couldn’t see or deploy it. Thus, creating mods requires skills and knowledge (in the process of reverse engineering).

However, their developers often understand individuals’ actual needs. The GB WhatsApp version allows users with more than one WhatsApp account to access their distinct profiles on the same device or to see messages that have been deleted. With some mods, it is possible to hide the receipt of communications, the viewing confirmation, and also the status of “online”, “typing”, and “recording audio”. Some versions also let people send videos up to 16 GB, audio up to 10 MB, uncompressed images, and a profile status is fixed without a time limit.

In some cases, these mods concede the creation of chat groups accessible only through a PIN code or even a fingerprint, allegedly caring about security and privacy. Yet, the attention to these topics is not so steady.

Fouad Mod, a dangerous app

The developer of Fouad Mod (known as”FoudMakkad“) has recently released a new version: the 9.41 one. Searching the app’s name on the web, you can find a lot of websites allowing its download. One of them seems to be devoted only to this mod: www.fouadmods.net.

Here, the update is described as “designed” for providing many features: “customisation, app lock, conversation locks, privacy mods, and many more”. Is this website trustworthy?

The Ip and the Russian scammers

MyIp.ms is a valuable tool for analysing a domain. It is an online database “that helps you find out who hosts a website”. Suppose you type the website name “fouadmods.net”. In that case, MyIp.ms shows some information on the linked server.

It also has a section with information on the IP address: a sequence of digits identifying a unique source of connection and nearly impossible to replicate. According to MyIp.ms, the Ip connected to fouadmods.net is 188.114.96.2. Over 600,000 live websites (and possibly many distinct individuals through a reverse proxy) are using this address.

The IP Report

Anyway, it is recorded on the Myip.ms blacklist. The reason is a user submission. “Hacker detected on the 29th of May 2022”, the alert reads. Mr Miso Bomadi had reported this IP with a specific explanation: “Russian scammers! Block their, pls!”

The file as a Trojan

You can easily download Fouad Mod 9.41. If clicking on the section “FoaudWhatsApp” on fouadmods.net, you are redirected to another website: www.apk.fm. On it, you access many different Android Modified Apps, including the new update of our mod.

According to some OSINT tools, this file doesn’t seem so safe. The responses are alarming if you try analysing it on some web services.

Hybrid-Analysis

Hybrid-Analysis.com is “a free malware analysis service that detects unknown threats”. The latest Fouad Mod update (named here 9.40 and identified by the unique “digital fingerprint” left by the software: SHA-256: 199aab57353be4cf5d64ee157db9e6f2d28f98b07605b191275031897f69b68c) is flagged as “suspicious”.

VIRUS TOTAL

Virus Total Report on Fouad Mod 9.41

VirusTotal.com converged on the point. It is a website aggregating scan engines and antivirus results to give the software queried profile.

Here, the 9.41 Fouad Mod update (identified by the same SHA-256: 199aab57353be4cf5d64ee157db9e6f2d28f98b07605b191275031897f69b68c) is flagged as “malicious” by 4 security vendors. K7GW detected it as a “Trojan”, a malware that misleads users of its true intent. Tencent identified it as a “privacy spiderbank”, a program used to harvest information.

The clues for a discovery

Using a mod could be dangerous. The blog world-today-news.com listed in 2021 five ways a person can recognise a contact is using a WhatsApp unsupported version.

  1.  Last seen: in some mods, the “last seen” can’t be updated, and the description only shows when the app was first downloaded. For example, if the mod was downloaded in 2020, then “last seen” will say “last active 2020”, even though the account is being used later;
  2. Check message: in mods, “even if there is one grey tick, messages can reach the recipient, and they can answer” without changing the tick;
  3. Delete message feature: “if the message you sent has been deleted, but the recipient can reply, he is a mod user”;
  4. Status feature: “if your WhatsApp status has passed 24 hours or is deleted and other users can reply to messages on the missing status”, then those are using a mod;
  5. Typing: On mods, the typing feature can be disabled. A user intensively receiving messages, without seeing the description “typing” on the sender profile, can infer the other is using a mod.

Other clues could be:

Videos above 30 seconds: people cannot put status videos above 30sec on official Whatsapp, while some mods grant it;

Spamming: Other rare behaviours include adding people into groups without their wish, sending messages or forwarding them in bulk.

Anomalies detection

Artificial intelligence can detect anomalies.

For instance, WhatsApp can automatically identify spam based on:

  1. the high message rate in a short time;
  2. the sending multiple recipients identical messages (detected because identified by the same so-called “hash sum”, even if the text is encrypted);
  3. the high volume of messages sent.

In addition, according to Cathcart, “Google Play Protect on Android can now detect and disable previously downloaded malicious fake versions of WhatsApp”.

But the mentioned features can also induce users who notice oddities in the chatting person to press the “Report Spam” or “Block” button. After a few reporting, WhatsApp can temporarily ban the suspicious account.

The anti-Ban

Nevertheless, the mods’ creators became aware of this battle and are trying to react by building clones that couldn’t be recognised.

Unlike previous versions, the new Fouad Mod is proudly described as anti-banning. The website apk.fm states that “the features of this application are continuously updated so that it will be safe from being banned”.

Yet, some doubts can arise over the true technological innovation of an anti-ban version. The website hackerbot.net, speaking of game bans, suggests that “anti-ban is just a marketing term that shady sites use” to persuade people to download.

On the 4th of September, the website lusogamer.com explained how the mod WhatsApp+ with anti-ban would act. This version can’t lead to an interdiction because – the statement reads – it “follows some of the regulations of the real product. Therefore, it is called Anti banned Application”. In a nutshell, a more accurate emulation.

Copycats

WhatsApp’s ability to engage users is enormous. Since launching in 2009, its services have become popular in over 180 countries. However, five countries in the world forbade the app in some capacity: China, North Korea, Syria, Qatar and the UAE. Most refuse it for security and political reasons, while others want to promote local telecommunication companies.

Dubai or the other Emirates don’t entirely ban WhatsApp. Only you can’t make video and voice calls, but you can send and receive texts.

In China

The case of China is more problematic. There, a “Great Fire Wall” (as called by the business reporter Lulu Chen in her 2022 book “Influence Empire: The Story of Tencent and China’s Tech Ambition”) blocks many people from accessing Facebook, Twitter, Instagram, Youtube, and New York Times.

Another app, WeChat, offers the same messaging service but is managed by a Chinese company. Born as a WhatsApp-like software, WeChat has now morphed into a vast online bazaar, becoming a merging of Western WhatsApp, Facebook, and eBay. Currently, it is “the largest social media platform in the world, after Facebook and WhatsApp, attracting more users than Twitter and Snapchat“, according to Chen.

Yet, WeChat nowadays faces the problem of censorship. Chinese government regulators started tracking private conversations and chats (with the consent of the app owner Tencent). Users have been blocked or even detained by police for sending messages critical of the government. Artificial Intelligence now helps the app to detect prohibited words, images or screen voice messages.

WhatsApp mods or copycats are evolving in more controlled cyberspace. The inscrutable paths of instant messaging app innovations are not always so promising.