The attack starts with a fake WhatsApp notification delivered via email, claiming that the user has received new voicemail:
Pressing the Play button will redirect users to different malicious sites depending on which device they use to view the email.
In the case of PC users, they will be taken to a site that warns them that they should download an update for their browser. Fortunately for them, the offered browser_update_installer.jar file is a Java file for the mobile version, and can't do much damage on a PC.
iPhone users that haven't jailbroken their devices are likewise safe, because the downloaded app can't be installed from a source that isn't Apple's official app store.
Android users are obviously the primary target, as they are urged to download the browser_update_installer.apk file disguised as a browser named “Browser 6.5”.
When started, the "app" tries to make the user agree with the terms of the download to continue. Unfortunately, if they do that the app will send text messages to specific premium rate phone numbers, and will also try to convince them to download another app malicious app.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.