Do Not Install GBWhatsApp: Malware Analysis Reveals Alarming Security Threats

Do Not Install GBWhatsApp: Malware Analysis Reveals Alarming Security Threats

GBWhatsApp, a popular unofficial messaging app, has recently come under criticism when it was discovered to be participating in espionage activities on Android devices.

Alameen Karim Merali of Dark Horse Security Inc. carried out a comprehensive research report that sheds light on the technical aspects of the potential security issues linked with this alternate version of WhatsApp.

The study provides an in-depth examination of GBWhatsApp’s vulnerabilities and malevolent intent. These results have caused grave alarm regarding the security of user data on Android devices.

The investigation began with the startling revelation that while attempting to install GBWhatsApp from a specific link, Google Play Protect sent a warning, notifying the user of the theft of passwords and other information.

As a safeguard, Google Play Protect prohibited the app from being installed, prompting the warning notification.

The initial Dynamic Analysis gave minimal insights because the program did not demonstrate any immediately suspicious behavior.

Alameen Karim Merali used Static Analysis to acquire a more complete understanding, which provided important information about the app’s nefarious behaviors.

VirusTotal Scan findings revealed that, with the exception of one engine, GBWhatsApp was not reported by any Anti-Malware Engine, showing its ability to avoid detection by popular security software. Further analysis, however, utilizing Joe Sandbox, revealed further details about the app’s actions.

Alameen Karim Merali also examined the Android app thoroughly using Jadx, a Dex to Java Decompiler software. The research yielded several concerning findings:

Finding Implication
Google Play Protect warning App flagged for stealing passwords and sensitive information, did not install.
Dynamic Analysis results No immediate suspicious behavior observed.
VirusTotal Scan App not flagged by most Anti-Malware Engines, except for one.
Joe Sandbox Analysis Provided more in-depth insights into the app’s activities.
Bitcoin Requests Suggests potential involvement in crypto-malware actions.
SMS Composition Ability to send SMS messages in the background, indicating potential SMS fraud.
Device Boot Detection and Downloading Permission to detect device boot and operate as a downloader, potentially downloading malware.
Credential Theft Ability to access and use local credentials for unauthorized logins.
Device Diagnostic Data Permission to request and obtain device diagnostic data.
Suspicious Payment Permissions Potentially used for malicious activities, including remote fraud.
Requests for Popular Apps Ability to request information about popular apps on the device.


The investigation also uncovered domains associated with the app’s developer, perhaps disclosing the identity of the person behind GBWhatsApp.

This includes domain information relating to the app’s theming settings as well as a Telegram channel, revealing the developer’s identity even further.

Finally, the study strongly cautions against using GBWhatsApp or similar WhatsApp equivalents since they represent major security risks and function in a manner similar to the Joker Malware.

The analysis’s vast rights and potential for harmful activity emphasize the risks of using unlicensed messaging apps, even if they provide more functionality than WhatsApp.

Android users are strongly advised to prioritize security and use approved, verified messaging apps to protect their data and privacy.