WhatsApp spy mod spreads through Telegram, attacks Arabic-speaking users

It is not rare that users of popular instant messaging services find the official client apps to be lacking in functionality. To address that problem, third-party developers come up with mods that offer sought-after features besides aesthetic upgrades. Unfortunately, some of these mods contain malware alongside legitimate enhancements. A case in point occurred last year when we discovered the Triada Trojan inside a WhatsApp mod. Recently, we described a Telegram mod with an embedded spy module, distributed through Google Play. It is the same story with WhatsApp now: several, previously harmless, mods were found to contain a spy module that we detect as Trojan-Spy.AndroidOS.CanesSpy.

How the spy module works

We will use the 80d7f95b7231cc857b331a993184499d sample to illustrate how spy modules operate.

The trojanized client manifest contains suspicious components (a service and a broadcast receiver) that cannot be found in the original WhatsApp client. A broadcast receiver listens for broadcasts from the system and other applications, such as phone starts charging, text message received, or downloader finishes downloading. When the receiver gets a message like that, it calls the event handler. In the WhatsApp spy mod, the receiver runs a service that launches the spy module when the phone is switched on or starts charging.

Suspicious app components

The service looks to the Application_DM constant in the malware code to choose the command-and-control (C&C) server that the infected device will contact going forward.

Selecting a command-and-control server

When the malicious implant starts, it sends a POST request containing information about the device to the threat operator’s server along the path /api/v1/AllRequest. The information includes the IMEI, phone number, mobile country code, mobile network code, and so on. The Trojan also requests configuration details, such as paths for uploading various types of data, intervals between requests to the C&C, and so on. Furthermore, the module transmits information about the victim’s contacts and accounts every five minutes.

After the device information is successfully uploaded, the malware starts asking the C&C for instructions, which the developers call “orders”, at preconfigured intervals (one minute by default). The table below contains a detailed description of the commands and paths the malware uses to send responses to the server.

Command
Default response path
Description
Settings

GET_FILE
/api/v1/UploadFileWithContinue
Send a file from external storage (non-system memory or a removable medium, such as an SD card) as a ZIP archive
File path on the victim device

UploadFileWithQuery
/api/v1/UploadFileWithContinue
Send files from external storage that match a specified filter as a ZIP archive
An SQL SELECT row filter used for selecting data when calling ContentResolver (the class used for file access on Android devices)

GetAllFileList
/api/v1/SaveFileNames
Send paths to all files in the external storage

GET_SPEC_FILE_TYPE
/api/v1/SaveFileNames
Send file names that have a specified extension
An SQL SELECT row filter used for selecting data when calling ContentResolver

UpdateAllDeviceData
/api/v1/AllRequest
Send information about the device, the infected application (package name and spy implant version), and the victim’s contacts and accounts

RecordSound
/api/v1/UploadSmallFile
Record sound from the microphone
Recording duration in seconds

DeviceOtherData
/api/v1/SaveResponseToFile
Send information about the spy implant configuration

ChangeMainDmain

Change command-and-control servers
A new C&C address

Get_Compressed_File
/api/v1/UploadFileWithContinue
Send files from external storage as a ZIP archive
A list of the paths to the files to upload

It was messages sent to the command-and-control server that caught our attention. They were all in Arabic, which suggests that the developer speaks Arabic as well.

How WhatsApp spy mods are distributed

After discovering the spy modules inside the WhatsApp mods, we decided to find out how they spread. An analysis of statistics pointed to Telegram as the main source. We found a number of Telegram channels, mostly in Arabic and Azeri languages. Just the most popular of these had almost two million subscribers. We alerted Telegram to the fact that the channels were used for spreading malware.

After downloading the latest version of the mod (1db5c057a441b10b915dbb14bba99e72, fe46bad0cf5329aea52f8817fa49168c, 80d7f95b7231cc857b331a993184499d) from each of the channels, we discovered that they contained the spy module described above, which only validated our assumptions. Seeing as how the malware components were not part of the original mod, we examined several recent versions and identified the first one to be infected. According to our findings, the spyware has been active since mid-August 2023. At the time of writing, all versions published in the channels since then contained malware. However, later (around October 20, if judging by the timestamps in the APK) at least one most recent version in at least one of the channels was substituted with a clean version.

DEX timestamps in the infected app (to the left) and in the clean version (to the right)

Besides the Telegram channels, the infected mods are distributed through various dubious websites dedicated to WhatsApp modifications.

Attack geography of the new WhatsApp spyware

Kaspersky security solutions thwarted more than 340,000 attacks by the WhatsApp spy mod across more than a hundred countries between October 5 and 31. Still, if we consider the nature of the distribution channel, the real number of installations could be much higher. The five countries with the highest attack numbers were Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt.

Top 20 countries by number of discovered WhatsApp spy mod infection attempts (download)

Conclusion

We regret to say that we have seen an increase in the number of instant messaging app mods that contain malware code. WhatsApp mods are mostly distributed through third-party Android app stores, which often lack screening and fail to take down malware. Some of these resources, such as third-party app stores and Telegram channels, enjoy considerable popularity, but that is no guarantee of safety. To avoid losing your personal data, we recommend using official instant messaging clients only. Should you need the extra features, we advise that you use a reliable security solution that can detect and block the malware if the mod you chose proves to be infected.

Indicators of compromise

MD5
1db5c057a441b10b915dbb14bba99e72
fe46bad0cf5329aea52f8817fa49168c
80d7f95b7231cc857b331a993184499d
cbb11b28d2f79ad28abdc077026fc8f2
19c489bcd11d7eb84e0ade091889c913
3fda123f66fa86958597018e409e42c0

C&C
hxxps://application-marketing[.]com
hxxps://whatsupdates[.]com
hxxps://android-soft-store[.]com
hxxps://whats-media[.]com
hxxps://whats-mate[.]com
hxxps://whats-mate[.]net
hxxps://whats-mydns[.]com
hxxps://whats-mydns[.]net
hxxps://whats-vpn[.]com
hxxps://whats-vpn[.]net

Websites distributing malicious mods
hxxps://whatsagold[.]app
hxxps://watsabplusgold[.]com
hxxps://www.whatsgold[.]app
hxxps://www.3ssem[.]com
hxxps://goldnwhats[.]app
hxxps://omarwhats[.]app