Android.Click
Android.Click.1812 is Dr.Web’s detection for malicious modified WhatsApp messenger applications. According to the provided content, these unofficial WhatsApp mods covertly load or open various websites in the background without the victim noticing, effectively functioning as ad-displaying/click-fraud style Android malware. The malware is associated with widespread malicious WhatsApp modifications observed in 2025 and is part of the broader category of unofficial messenger mods used to generate unwanted web traffic or advertising activity. The content specifically identifies the infection vector as trojanized WhatsApp mod distributions; no specific threat actor, industry targeting, or technical indicators of compromise beyond the detection name and behavior are provided.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Detection name for malicious WhatsApp mods that covertly load websites/URLs in the background (traffic redirection/forced browsing).
Detection name for malicious WhatsApp mods that covertly load websites/URLs in the background without user awareness.
Detection name for malicious WhatsApp mods that silently load websites in the background (traffic/redirect monetization and potential further abuse).
Malicious WhatsApp modifications that stealthily load websites in the background (traffic/redirect abuse).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.