A malicious version of a popular modification or “mod” of the encrypted messaging app WhatsApp is carrying a mobile trojan that can launch advertisements, issue paid subscriptions and intercept text messages, security researchers said Tuesday.

According to Kaspersky, hackers inserted the Triada trojan into a modified version of FMWhatsapp, a WhatsApp mod. Such mods have a following among users who want to customize WhatsApp, such as being able to send larger files or apply custom animated themes.

FMWhatsapp isn’t available on the Google Play store and is only available via third party websites, which means users who desire the extra features the mod offers don’t get the security protections inherent in more officially-vetted apps.

Kaspersky first spotted Triada in 2016, when the company deemed the hacking tool “one of the most advanced mobile Trojans our malware analysts have ever encountered.”

Users grant FMWhatsapp permission to read SMS messages, Kaspersky said, simultaneously granting the trojan access to text messages, too. Hackers inserted Triada into the modified FMWhatsapp along with the advertising software development kit. That’s similar to something that happened with the APKPure app used to download unavailable Android apps.

“With this app, it is hard for users to recognize the potential threat because the mod application actually does what is proposed — it adds additional features,” said Igor Golovin, security expert at Kaspersky. “However, we have observed how cybercriminals have started to spread malicious files through the ad blocks in such apps.” 

The case of FMWhatsapp and Triada is a lesson about how, in a drive to give users “improved” versions of a software, modders can introduce security holes.

Foud Apps, the reported developer of FMWhatsapp, didn’t respond to a message seeking comment about Kaspersky’s research. Nor did Facebook, owner of WhatsApp.

Among the malware that FMWhatsapp downloads is XHelper, a sticky kind of Android malware that’s difficult to remove.