• Posted by: Eng. Donya Bino
• January 26, 2026

WhatsApp Malware Delivery: Auto-Spread Banking Trojans

WhatsApp has a huge number of users and is very trusted so it is an attractive target for criminals. Between 2025-2026, the tactics used by attackers changed from simple phishing links to more advanced, self-propagating threats. For example, they might send malicious files (like ZIPs that contain LNK or APK files) or trick users into downloading/installing malicious apps. Once a user clicks on the file or installs the app, the malware will begin propagating itself automatically by accessing the user’s address book and sending itself to their contacts.

The primary objective of these attacks is usually the installation of banking trojans that allow the attacker to steal the victim’s credentials, present a fake login screen, capture the victim's One Time Passwords, or initiate an unauthorized transaction. Various regions of the world, particularly those with high numbers of users that use WhatsApp for banking purposes (e.g., Brazil, parts of Latin America, the Middle East, and Africa) are experiencing the biggest losses due to money being stolen from victims' accounts or drained over time.

Common Delivery and Distribution Methods
1. Initial contact is made via unsolicited unknown telephone numbers, which are often hacked or spoofed accounts, with urgent communication (e.g., "You missed your letter delivery, click here." or "A friend sent you funds; please see the attachment."). 
2. Malicious files attached to e-mails as zip files containing either lnk shortcuts or disguised APKs. When opened, the attached files execute code and can install the malware onto the user's computer silently and automatically in the background.
3. Automatic propagation: Once installed, the malware can read the victim's contacts and automatically send itself as a message through WhatsApp (text and file), often using a social engineering message that looks legitimate (e.g., "Look at this photo!" or "See your payment receipt"). Such methods of automatic propagation can create a worm-like spread of the malware.
4. Banking trojans: Trojans that overlay the screen of legitimate banking apps in order to capture login credentials and/or one-time passwords (OTP), as well as to inject transactions into the banking systems. many of these banking trojans are developed by leveraging built-in accessibility services to perform various functions in an automated manner.

Key Campaigns for 2025-2026:
1. Boto Cor-De-Rosa: An evolved form of a WhatsApp worm used to spread a banking trojan to Brazilian victims through chat messages; this was an Astaroth variant of the original Boto worm.

2. Eternidade Stealer: This was spread through hacked WhatsApp accounts and through social engineering and was primarily designed to steal financial information from victims.

3. Maverick Banker: Uses .LNK file attachments that are sent through WhatsApp messages to deliver an advanced banking trojan to Brazilian users.

4. Kaduu/Coyote variants: Similar to the auto-messaging worms that have been previously described; these worms exploit WhatsApp's broad user base and allow for a greater potential for fraud.

These campaigns all require user interaction in order to open an infected file. However, after a device has been compromised through a successful interaction, this malware has the ability to rapidly propagate throughout users' contact lists.

If you see these signs, your device or account may be compromised:
1. Messages sent to your contacts from your number that you don't remember sending.
2. You find apps you didn't install on your phone or your battery drains quickly after clicking on a link/attachment.
3. Your banking app has a fake overlay/ pop-up asking you to sign in unexpectedly.
4. The amount of data used on your device is significantly higher than usual or connects to questionable IP addresses.
5. Your WhatsApp account was logged in from an unrecognized device (check the linked devices in displayed settings).

Practical Prevention Steps
1. Do not open attachments from unknown senders, such as ZIP files, Android Package files (APK) or LNK files. Report and delete those texts immediately.

2. Turn off the auto-download feature of WhatsApp. Go to Settings > Storage and Data, and then to Media Auto-Download and disable it for mobile data and Wi-Fi.

3. If someone sends you something unusual on WhatsApp, call or text that contact using another venue to try to verify the legitimacy of the message.

4. Always have the most current version of WhatsApp. Install WhatsApp from the official app stores. Every time a new version of WhatsApp comes out, it will have fixed all the exploited vulnerabilities in that version (i.e., zero-click attacks found in 2025).

5. You should configure Two-Step Verification. You can enable this by going to WhatsApp Settings > Account > Two-Step Verification and configuring the PIN for Two-Step Verification.

6. Make use of a Mobile Security App. Use any of the free Mobile Security Apps (i.e., Malwarebytes, Bitdefender Mobile Security, Google Play Protect) to scan your phone for Trojans.

7. Monitor Which Devices are Active on WhatsApp. Go to WhatsApp > Settings > Linked Devices> and log out all devices you did not connect with.

8. Use WhatsApp to Report and Block Spammers or Malicious Messages. You can do this using "report spam" on the message and then selecting the block icon next to the message you received.

Key Takeaways
In 2025-2026, malware delivery through WhatsApp has evolved from sending links directly to being able to send out and infect users as well as download themselves in the back-end through a Banking Trojan, where it can steal an account and then spread itself by hijacking your contacts. The targets for this type of attack are the ones that trust their messages, especially if you live in a region that uses WhatsApp for banking transactions. 

The best way to protect against these types of attacks is to: Never open unsolicited attachments, always turn off auto downloading of files, and always check with someone you know before answering any strange messages that you may receive. 

Always use the official updates and security programs for your phones. If you think you have been infected with malware or if your device is not performing properly, you should disconnect from the internet, run a full scan of your device, change all of your passwords, including bank accounts, and keep a close eye on your bank accounts to ensure nothing else has happened.