Researchers at Kaspersky have uncovered a malicious WhatsApp modification that is now spreading within the popular messenger app Telegram.
This spy mod offers enhanced features but secretly harvests personal information, with over 340,000 attacks detected in one month. The malware primarily targets Arabic and Azeri-speaking users but has affected victims globally.
A new malicious WhatsApp spy modification, initially discovered by Kaspersky researchers, is now infiltrating another widely used messenger platform, Telegram. While this modification claims to enhance user experience, it covertly gathers personal data from unsuspecting victims.
With a significant reach of over 340,000 attacks detected in just one month, this malware primarily focuses on users who communicate in Arabic and Azeri. However, victims have been identified globally, with Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt experiencing the highest attack rates.
Many users turn to third-party modifications for popular messaging apps to access additional features. However, some of these mods, while offering improved functionality, also contain hidden malware. Kaspersky has identified a new WhatsApp mod that not only provides features like scheduled messages and customization options but also includes a malicious spyware module.
The altered WhatsApp client’s manifest file contains suspicious components, including a service and a broadcast receiver that are not present in the original version. The receiver triggers a service, activating the spy module when the phone is powered on or charging. Once active, the malicious implant sends device information to the attacker’s server.
This data includes the IMEI, phone number, country and network codes, and more. It also sends the victim’s contacts and account details every five minutes and can initiate microphone recordings and extract files from external storage.
This malicious version infiltrated popular Telegram channels, primarily targeting Arabic and Azeri speakers, with some of these channels boasting nearly two million subscribers. Kaspersky researchers promptly alerted Telegram about this issue.
Kaspersky’s telemetry identified over 340,000 attacks involving this mod in October alone. This threat emerged relatively recently, becoming active in mid-August 2023. The top five countries with the highest attack rates are Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt. While the preference leans towards Arabic and Azerbaijani-speaking users, it also impacts users globally.
Kaspersky products identify this Trojan as Trojan-Spy.AndroidOS.CanesSpy.
Dmitry Kalinin, a security expert at Kaspersky, advises, “People naturally trust apps from highly followed sources, but fraudsters exploit this trust. The spread of malicious mods through popular third-party platforms highlights the importance of using official IM clients. However, if you need some extra features not presented in the original client, you should consider employing a reputable security solution before installing third-party software, as it will protect your data from being compromised. For robust personal data protection, always download apps from official app stores or official websites.”