A new WhatsApp mod has emerged, offering additional features and customizability to users, while simultaneously posing a hidden threat. Kaspersky researchers recently discovered that this modified version of WhatsApp, which is circulating through popular messenger app Telegram, secretly harvests personal information from its victims. This malicious spyware module has already amassed over 340,000 downloads within a month.

Third-party mods are often sought out users to enhance their messaging app experience. However, these mods can come with hidden malware, as seen in this instance. The modified WhatsApp client includes suspicious components in its manifest file that were not present in the original version. One such component, a broadcast receiver, triggers a service that activates the spy module whenever the phone is powered on or charging.

Once activated, the spyware sends a request to the attacker’s server, transmitting the victim’s device information, such as the IMEI, phone number, country and network codes, and more. Additionally, it continuously transmits the victim’s contacts and account details, records audio through the microphone, and exfiltrates files from external storage.

The mod specifically targets users who communicate in Arabic and Azeri, but its impact has been felt globally. Countries like Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt have experienced the highest attack rates. However, individuals from the US, UK, Germany, Russia, and other locations have also been affected.

Kaspersky researchers have already alerted Telegram to this issue, highlighting an urgent need for vigilance. Users are advised to exercise caution when downloading third-party applications, favoring official app stores or official websites. Additionally, the installation of reputable security software is recommended to detect and protect against potential threats.

