WhatsApp mods with spyware

Our researchers discovered spyware-infected WhatsApp modifications distributed through Telegram channels and websites with WhatsApp mods.

WhatsApp spyware modifications in Telegram

Over the past decade, messaging apps such as WhatsApp and Telegram have become an integral part of life for almost every internet user. Billions of people use them to chat with loved ones, share funny pictures and videos with friends, communicate with coworkers, catch up on the news, and so on. Just try to imagine modern life without messengers. Hard, isn’t it? Unfortunately, these indispensable apps sometimes contain hidden threats.

WhatsApp and Telegram mods: the whats and whys

Some people think that the official WhatsApp and Telegram apps lack functionality — be that additional options to customize the interface or something more specific; for example, the ability to hide chats, automatically translate messages, or view messages deleted by chat partners. And the list of “missing” features is a very long one.

Third-party developers create modifications, or mods of standard WhatsApp and Telegram apps to satisfy even the most peculiar user needs, and there are a great many such mods.

The problem with installing any of them is that the user must entrust their correspondence not only to the original messenger developers but also to the mod developers, who can easily hide malicious modules in them; mod distributors can also add something of their own.

In the case of WhatsApp, the situation with mods is further complicated by its owners. They don’t approve of modifications and so hinder their distribution. From time to time, WhatsApp’s owners try to prohibit folks from using mods — albeit unsuccessfully thus far. Meanwhile they have had some success in barring alternative clients for WhatsApp from the official stores like Google Play and App Store.

As a consequence, users of WhatsApp mods are accustomed to downloading them from just about anywhere. APK files are boldly downloaded, settings are switched to allow installation from unknown sources, and mods are then run on phones. And cybercriminals exploit this carelessness by embedding malware in the mods.

Our experts recently found several such infected mods, which we’ll take a look at in this post.

Infected WhatsApp mods on Telegram

The WhatsApp mods that caught our experts’ attention hadn’t previously shown any malicious activity. Now, however, they contain a spy module, which our security solutions detect as Trojan-Spy.AndroidOS.CanesSpy.

After installation on the victim’s smartphone, an infected WhatsApp mod waits for the phone to be turned on or put on charge before launching the spy module. It contacts one of the C2 servers from the respective list and uploads various information about the device to it, such as phone number, IMEI, cellular network code, and so on. What’s more, the spy Trojan sends information about the victim’s contacts and accounts to the server every five minutes, all the while waiting for commands.

Leaving service commands aside, the spy module’s capabilities are essentially reduced to two functions:

  • Search the device and send its operators files contained in the smartphone’s memory (to be precise, in its non-system part, or “external storage” in Android terminology)
  • Record sound from the built-in microphone and, as before, send the recordings to C2

As for how the spyware was distributed, infected WhatsApp modifications were found in several Arab and Azerbaijani Telegram channels under the names of popular mods: GBWhatsApp, WhatsApp Plus, and AZE PLUS — a WhatsApp Plus version with the interface translated into Azerbaijani.

Infected WhatsApp mods in Telegram channels

WhatsApp mods infected with spyware were distributed mostly in Azerbaijani and Arabic Telegram channels

In addition, our experts discovered APK files infected with the spy module on WhatsApp mod download websites.

In October, our security solutions detected and prevented more than 340,000 attacks by this spyware in more than 100 countries. Note that we’re talking about attacks intercepted by our solutions. The total number (accounting for phones on which our solutions aren’t installed) is likely much higher.

Although the geographic spread of the threat is extensive, the largest number of infection attempts — by a wide margin — was registered in Azerbaijan, followed by several Arab countries: Yemen, Saudi Arabia, and Egypt; as well as Turkey.

Geography of infection attempts by Trojan-Spy.AndroidOS.CanesSpy

Top-20 countries where WhatsApp spy mods were distributed

How to protect yourself against messenger spyware

This isn’t the first case in 2023 of malicious modules being found in modified messenger apps. A few months ago we wrote about a string of infected mods for Telegram, WhatsApp, and even the secure messenger Signal. So there’s every reason to remain vigilant:

  • Use only the official WhatsApp and Telegram apps. As we’ve seen, messenger mods are prone to malware.
  • Install apps only from official stores: Apple App Store, Google Play, Huawei AppGallery, and the like. These aren’t immune to malware, but still way safer than third-party websites, which often have no security measures in place at all.
  • Before installing any app, first study its page in the store and make sure it’s not fake — bad actors often create clones of popular apps.
  • Read user reviews of the app, paying special attention to negative ones. There you’ll probably find out if it demonstrates suspicious activity.
  • Be sure to install reliable protection on all your devices. This will detect malicious code inside a seemingly harmless app, and warn you in time.
  • Remember that in the free version of our Kaspersky for Android app, you have to run the scan manually.
  • If you use the premium version of our protection for Android — which comes included in the Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium subscriptions — you can sit back and relax: scanning for threats takes place automatically.
Tips