Cybersecurity firm Kaspersky has uncovered a malicious WhatsApp modification, or mod, now spreading through Telegram. These popular messaging apps often see users turning to third-party mods for additional features or improvements. However, Kaspersky warns that some of these enhancements harbour hidden malware beside their purported legitimate upgrades.
Once activated, the mod sends device information to an attacker's server. The malicious mods are now predominantly seen on Telegram, with the primary targets being Arabic and Azeri-speaking users. Kaspersky has detected over 340,000 attacks linked to this specific mod throughout October alone.
Kaspersky's research has found this new malicious WhatsApp spy mod proliferating within Telegram. Whilst the mod does provide additional user experience features, it simultaneously and covertly harvests personal data from its users. The malware's reach is extensive, exceeding 340,000 attacks in a single month, with victims identified globally.
Users regularly utilise third-party mods for popular messaging applications in pursuit of added features. However, alongside these enhancements, some mods also carry hidden malware. Kaspersky has spotlighted a new WhatsApp mod containing not just additional features like scheduled messages and customisation options, but also a potentially harmful spyware module.
The mod features suspicious components not present in the original WhatsApp client. Initiation of these components launches the hidden spy module as soon as the phone powers on or starts charging.
Following activation, this malicious implant sends a request to the attacker's server with harvested device information. This includes device-specific properties such as IMEI, phone number, country, and network codes, but also regularly transmits account details and contact lists as frequently as every five minutes.
Moreover, the mod can enable microphone recordings and extract files from external storage. Prevenient on popular Telegram channels, the mod predominantly targets Arabic and Azeri speakers, some of whom are members of channels with nearly two million subscribers.
Kaspersky quickly alerted Telegram regarding the issue and their telemetry data confirmed the prevalence of this threat, with over 340,000 attacks involving this mod in October alone. The threat began to manifest in mid-August 2023.
Regions including Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt experienced the most substantial attack rates. Regardless, while the focus appears inclined towards Arabic and Azerbaijani-speaking users, individuals from countries such as the US, Russia, UK, Germany and beyond are also impacted. Kaspersky's virus detection system identifies this Trojan as Trojan-Spy.AndroidOS.CanesSpy.
"People naturally trust apps from highly followed sources, but fraudsters exploit this trust. The spread of malicious mods through popular third-party platforms highlights the importance of using official IM clients."
"However, if you need some extra features not presented in the original client, you should consider employing a reputable security solution before installing third-party software, as it will protect your data from being compromised. For robust personal data protection, always download apps from official app stores or official websites," comments Dmitry Kalinin, security expert at Kaspersky.
In the light of these findings, Kaspersky experts suggest maintaining safety with the following methods:
- Exclusively download apps and software from reputable and official sources while avoiding third-party app stores
- Install and maintain reputable antivirus and anti-malware software on your devices with regular scans for potential threats and constant updates
- Educate yourself about common scams and the latest cyber threats
- Be wary of unsolicited requests or suspicious offers demanding personal or financial information
Kaspersky further emphasises that third-party software from popular sources often comes without any warranty, therefore such apps can potentially contain malicious implants due to supply chain attacks.