Kaspersky reports more than 340 000 attacks with new malicious WhatsApp mod.

Kaspersky reports more than 340 000 attacks with new malicious WhatsApp mod. (Image by Shutterstock)

New malicious WhatsApp spy mod affecting Telegram users

  • There is a new malicious WhatsApp spy mod which is proliferating within another popular messenger, Telegram.
  • The mod has been harvesting personal information from its victims.
  • This malware predominantly targets users who communicate in Arabic and Azeri.

When it comes to using social media apps like WhatsApp, Facebook and Instagram, some users like having additional features to improve their experience. These third-party mods are usually legal and can be found on the PlayStore.  

There are many mods available for WhatsApp. The most popular WhatsApp mods include GBWhatsApp, which provides users the ability to run multiple accounts through the same app, more commonly known as ‘forking.’ WhatsApp Plus Mode is another example and is a very similar mod to GBWhatsApp. Not only does this mod add a lot of enhanced functionality to the existing app, it also carries the essential anti-ban feature which stops WhatsApp from revoking a user’s WhatsApp access. 

While there are many more WhatsApp mods available, a recent report from Kaspersky showed that some of these mods are also contaminated with hidden malware. Kaspersky has identified a new WhatsApp mod offering not only additions like scheduled messages and customizable options, but which also contains a malicious spyware module. 

A new WhatsApp mod is targeting Teegram users.

A new WhatsApp mod brings malware to Telegram users.

According to the report, the modified WhatsApp client’s manifest file includes suspicious components. This includes a service and a broadcast receiver, functions that are not present in the original version. When a receiver initiates a service, the spy module launches when the phone is powered on or charging. 

Once activated, the malicious implant sends a request with device information to the attacker’s server. This data covers IMEI, phone number, country and network codes, and more. It also transmits victim’s contacts and account details every five minutes as well as being able to set up microphone recordings and exfiltrate files from external storage. 

Examples of Telegram channels distributing a malicious WhatsApp mod.

Examples of Telegram channels distributing malicious mods (Source – Kaspersky)

WhatsApp mod targets Telegram users

Kaspersky’s report also pointed out that the WhatsApp mod has now also found its way to the Telegram social messaging app. Despite Telegram’s claims to be a more secure social messaging app, Kaspersky’s telemetry identified over 340,000 attacks involving this mod in just October.  

The mod has been predominantly targeting Arabic and Azeri speakers, with some of these channels boasting nearly two million subscribers. This threat emerged relatively recently, becoming active in mid-August 2023. 

Arabic and Azerbaijani-speaking users in Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt witnessed the highest attack rates. Kaspersky also reported that individuals from the US, Russia, UK, Germany and beyond have also been impacted.  

“People naturally trust apps from highly followed sources, but fraudsters exploit this trust. The spread of malicious mods through popular third-party platforms highlights the importance of using official IM clients,” said Dmitry Kalinin, security expert at Kaspersky. 

Kaspersky products detect the Trojan: Trojan-Spy.AndroidOS.CanesSpy.

Kaspersky products detect the Trojan: Trojan-Spy.AndroidOS.CanesSpy. (Image by Kaspersky)

Kalinin added that users that need some extra features not presented in the original client should consider employing security solutions before installing third-party software, as it will protect their data from being compromised. He also suggested users always download apps from official app stores or official websites.  

Put simply, to stay safe, Kaspersky experts recommend:  

  • Download apps and software from reputable and official sources. Avoid third-party app stores, as the risk they may host malicious or compromised apps is higher. 
  • Install and maintain reputable antivirus and anti-malware software on devices. Regularly scan devices for potential threats and keep security software up to date.  
  • Stay informed about the latest cyber threats, techniques, and tactics. Be cautious of unsolicited requests, suspicious offers, or urgent demands for personal or financial information.  
  • Third-party software from popular sources often comes with zero warranty. Keep in mind that such apps can contain malicious implants, eg because of supply chain attacks. 

On a separate note, Southeast Asia has also been witnessing an increase in the number of similar situations, especially with the growing mobile population. Users continue to fall for scams by clicking on secured links on social media apps, downloading unsecured extensions for apps and scanning compromised QR codes.

For example, when Apple was about to release its iPhone 15, Kaspersky experts uncovered a range of scams that exploited the excitement around the event. These scams encompassed various fraudulent schemes, each carrying distinct risks for unsuspecting consumers, including potential data and financial losses.