Kaspersky has discovered a malicious WhatsApp spy mod that has now infiltrated Telegram, affecting over 340,000 users in a month. The malware targets users who communicate in Arabic and Azeri, harvesting personal information while offering additional features, highlighting the need for caution with third-party software and the importance of using reputable security solutions.
4 November 2023 – Cybersecurity researchers at Kaspersky have uncovered a new malicious WhatsApp spy mod that has now infiltrated the popular messaging platform Telegram. While the mod enhances the user experience, it also secretly harvests personal information from its victims. This malware, with a reach surpassing 340,000 users in just one month, primarily targets Arabic and Azeri-speaking users, but victims have been identified globally.
Third-party mods for popular messaging apps are often sought after by users to add extra features. However, some of these mods, despite enhancing functionality, come with hidden malware. Kaspersky has identified a new WhatsApp mod that offers not only additional features like scheduled messages and customization options but also contains a malicious spyware module.
The modified WhatsApp client includes suspicious components in its manifest file, including a service and a broadcast receiver, which are absent in the original version. The receiver initiates a service, activating the spy module when the phone is powered on or charging. Once activated, the malicious implant sends device information to the attacker’s server, including details such as IMEI, phone number, country and network codes, among others. It also transmits the victim’s contacts and account information every five minutes and can initiate microphone recordings and exfiltrate files from external storage.
The malicious version found its way to popular Telegram channels, primarily targeting Arabic and Azeri speakers, some of which have nearly two million subscribers. Kaspersky researchers have alerted Telegram about this issue. In October alone, Kaspersky’s telemetry identified over 340,000 attacks involving this mod. This threat emerged relatively recently, becoming active in mid-August 2023.
Countries such as Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt have witnessed the highest attack rates. While the preference leans toward Arabic and Azerbaijani-speaking users, individuals from the US, Russia, UK, Germany, and beyond have also been impacted.
Kaspersky’s products detect the Trojan with the following verdict: Trojan-Spy.AndroidOS.CanesSpy.
“People naturally trust apps from highly followed sources, but fraudsters exploit this trust. The spread of malicious mods through popular third-party platforms highlights the importance of using official instant messaging clients. However, if you need some extra features not presented in the original client, you should consider employing a reputable security solution before installing third-party software, as it will protect your data from being compromised,” comments Dmitry Kalinin, a security expert at Kaspersky.
To stay safe, Kaspersky experts recommend the following:
- Use Official Marketplaces: Download apps and software from reputable and official sources. Avoid third-party app stores, as the risk of them hosting malicious or compromised apps is higher.
- Use Reputable Security Software: Install and maintain reputable antivirus and anti-malware software on your devices. Regularly scan your devices for potential threats and keep your security software up to date.
- Educate Yourself about Common Scams: Stay informed about the latest cyber threats, techniques, and tactics. Be cautious of unsolicited requests, suspicious offers, or urgent demands for personal or financial information.
- Be Cautious with Third-Party Software: Third-party software from popular sources often comes with zero warranty. Keep in mind that such apps can contain malicious implants, such as supply chain attacks.
