It is not rare that users of popular instant messaging services find the official client apps to be lacking in functionality. To address that problem, third-party developers come up with mods that offer sought-after features besides aesthetic upgrades. Unfortunately, some of these mods contain malware alongside legitimate enhancements. A case in point occurred last year when we discovered the Triada Trojan inside a WhatsApp mod. Recently, we described a Telegram mod with an embedded spy module, distributed through Google Play. It is the same story with WhatsApp now: several, previously harmless, mods were found to contain a spy module that we detect as Trojan-Spy.AndroidOS.CanesSpy.
How the spy module works
We will use the 80d7f95b7231cc857b331a993184499d sample to illustrate how spy modules operate.
The trojanized client manifest contains suspicious components (a service and a broadcast receiver) that cannot be found in the original WhatsApp client. A broadcast receiver listens for broadcasts from the system and other applications, such as phone starts charging, text message received, or downloader finishes downloading. When the receiver gets a message like that, it calls the event handler. In the WhatsApp spy mod, the receiver runs a service that launches the spy module when the phone is switched on or starts charging.
The service looks to the Application_DM constant in the malware code to choose the command-and-control (C&C) server that the infected device will contact going forward.
When the malicious implant starts, it sends a POST request containing information about the device to the threat operator’s server along the path /api/v1/AllRequest. The information includes the IMEI, phone number, mobile country code, mobile network code, and so on. The Trojan also requests configuration details, such as paths for uploading various types of data, intervals between requests to the C&C, and so on. Furthermore, the module transmits information about the victim’s contacts and accounts every five minutes.
After the device information is successfully uploaded, the malware starts asking the C&C for instructions, which the developers call “orders”, at preconfigured intervals (one minute by default). The table below contains a detailed description of the commands and paths the malware uses to send responses to the server.
Default response path
Send a file from external storage (non-system memory or a removable medium, such as an SD card) as a ZIP archive
File path on the victim device
Send files from external storage that match a specified filter as a ZIP archive
An SQL SELECT row filter used for selecting data when calling ContentResolver (the class used for file access on Android devices)
Send paths to all files in the external storage
Send file names that have a specified extension
An SQL SELECT row filter used for selecting data when calling ContentResolver
Send information about the device, the infected application (package name and spy implant version), and the victim’s contacts and accounts
Record sound from the microphone
Recording duration in seconds
Send information about the spy implant configuration
Change command-and-control servers
A new C&C address
Send files from external storage as a ZIP archive
A list of the paths to the files to upload
It was messages sent to the command-and-control server that caught our attention. They were all in Arabic, which suggests that the developer speaks Arabic as well.
How WhatsApp spy mods are distributed
After discovering the spy modules inside the WhatsApp mods, we decided to find out how they spread. An analysis of statistics pointed to Telegram as the main source. We found a number of Telegram channels, mostly in Arabic and Azeri languages. Just the most popular of these had almost two million subscribers. We alerted Telegram to the fact that the channels were used for spreading malware.
After downloading the latest version of the mod (1db5c057a441b10b915dbb14bba99e72, fe46bad0cf5329aea52f8817fa49168c, 80d7f95b7231cc857b331a993184499d) from each of the channels, we discovered that they contained the spy module described above, which only validated our assumptions. Seeing as how the malware components were not part of the original mod, we examined several recent versions and identified the first one to be infected. According to our findings, the spyware has been active since mid-August 2023. At the time of writing, all versions published in the channels since then contained malware. However, later (around October 20, if judging by the timestamps in the APK) at least one most recent version in at least one of the channels was substituted with a clean version.
Besides the Telegram channels, the infected mods are distributed through various dubious websites dedicated to WhatsApp modifications.
Attack geography of the new WhatsApp spyware
Kaspersky security solutions thwarted more than 340,000 attacks by the WhatsApp spy mod across more than a hundred countries between October 5 and 31. Still, if we consider the nature of the distribution channel, the real number of installations could be much higher. The five countries with the highest attack numbers were Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt.
Top 20 countries by number of discovered WhatsApp spy mod infection attempts (download)
We regret to say that we have seen an increase in the number of instant messaging app mods that contain malware code. WhatsApp mods are mostly distributed through third-party Android app stores, which often lack screening and fail to take down malware. Some of these resources, such as third-party app stores and Telegram channels, enjoy considerable popularity, but that is no guarantee of safety. To avoid losing your personal data, we recommend using official instant messaging clients only. Should you need the extra features, we advise that you use a reliable security solution that can detect and block the malware if the mod you chose proves to be infected.
Indicators of compromise
Websites distributing malicious mods