Spy Module Discovered in WhatsApp Mods

Users seeking additional features in mobile apps have been increasingly turning to third-party developers who offer mods that often come with a hidden and malicious agenda.

The findings by Kaspersky particularly focus on several popular WhatsApp mods. These mods were found to contain a spy module identified as Trojan-Spy.AndroidOS.CanesSpy.

According to an advisory published by the security experts earlier today, the spy module functions by utilizing suspicious components in the trojanized client manifest, including a service and a broadcast receiver that are not present in the official WhatsApp client. 

These components listen for various system and application events, such as phone charging, text messages and file downloads. Once activated, the receiver triggers the spy module, usually when the phone is turned on or begins charging.

The malicious implant then transmits crucial device information to a command-and-control (C2) server, including the IMEI, phone number, mobile country code, mobile network code and more. Additionally, it uploads data on the victim’s contacts and accounts every five minutes. The spy module continuously checks the C2 server for instructions, referred to as “orders,” and executes them at pre-configured intervals.

Read more about mobile malware: Mobile Malware and Phishing Surge in 2022

One notable aspect of this case is the discovery of messages sent to the C2 server in Arabic, suggesting the involvement of an Arabic-speaking developer. The distribution of these spy mods was primarily identified through popular Telegram channels, where several mod versions were found to contain the malicious module.

Kaspersky said that between October 5 and 31 alone, its cybersecurity solutions have intercepted over 340,000 attacks related to this WhatsApp spy mod across more than a hundred countries, with high attack numbers recorded in countries like Azerbaijan, Saudi Arabia, Yemen, Turkey and Egypt.

“To avoid losing your personal data, we recommend using official instant messaging clients only,” wrote Kaspersky’s security researcher Dmitry Kalinin in the advisory. “Should you need the extra features, we advise that you use a reliable security solution that can detect and block the malware if the mod you chose proves to be infected.”

Image credit: MardeFondos /

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button