Hidden Spyware Detected in Multiple WhatsApp Mods

Third-party developed mods for instant messaging services have grown in popularity among users looking for additional features not found in the official client apps. However, most of these mods often come laden with hidden malware.

Discovered by researchers at Kaspersky, several previously harmless WhatsApp mods were found containing a spy module dubbed as Trojan-Spy.AndroidOS.CanesSpy.

According to the security researchers, the spy module operates by using the suspicious features – service and broadcast receiver, found in the trojanized mod. These features are not a part of the official WhatsApp program.

Upon deployment, the broadcast component listens for various system and application broadcasts, like charging of phones, files downloaded, and text messages. On receiving such messages, the receiver activates the spy module, generally when either the phone begins charging or it is turned on.

Meanwhile, the service component is responsible for selecting the command-and-control (C2) server (point of contact). Upon activation, the malicious implant sends device information, including the IMEI, phone number, mobile country code, mobile network code and more to the C2 server. Moreover, the spyware also gathers configuration details and transmits the victim’s contacts and accounts data every five minutes.

‘’After the device information is successfully uploaded, the malware starts asking the C&C for instructions, which the developers call “orders”, at preconfigured intervals (one minute by default),’’ the advisory stated.

During the investigation, it was noticed that all messages sent to the C2 server were in Arabic, suggesting that the developer spoke Arabic. Various dubious websites promoting these WhatsApp mods and popular Telegram channels, mostly in Arabic and Azeri languages were used to distribute the trojanized mods, discovered Kaspersky.

Related to this spyware mod, the cybersecurity solution provider is said to have blocked more than 340,000 attacks in over 100 countries, between October 5 and 31 alone. Its investigation further revealed that a high number of attacks were mainly recorded in countries like Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt.

Kaspersky went on to advise users to use only the official messaging clients to secure their personal data. “Should you need the extra features, we advise that you use a reliable security solution that can detect and block the malware if the mod you chose proves to be infected,’’ the advisory recommended.