Researchers from cybersecurity firm Kaspersky have recently uncovered a new threat affecting users of the popular messaging app WhatsApp on Android devices. The spyware appears to be distributed through modified versions of the app, similar to those previously identified in relation to the rival messaging service Telegram. This discovery raises concerns about the growing trend of malicious activity within third-party application modifications.

The bulletin published Kaspersky on November 2 highlights that the spyware has been deployed in approximately 340,000 attempted attacks via WhatsApp mods. However, security expert Dmitry Kalinin suspects that the actual number of installations could be much higher due to the nature of the distribution channel.

While the attack has impacted users worldwide, the majority of victims, comprising 46%, are located in Azerbaijan. Other countries affected include Yemen, Saudi Arabia, Egypt, and Turkey, which are primarily nations where Arabic is spoken.

WhatsApp mods, which are legitimate third-party apps designed to provide additional functionalities to the messaging platform, have become attractive targets for malware and hackers. Notably, a previous attack called Triada, a mobile Trojan, utilized modifications to infiltrate legitimate apps. Kaspersky’s warning about Triada’s proliferation on apps like YoWhatsApp remains relevant and underscores the need for heightened caution when using modified applications.

Interestingly, Kaspersky researchers have observed a similar trend with Telegram. Earlier this year, they discovered spyware injected into unofficial mods of Telegram, with a focus on users in China. This spyware was able to compromise user privacy stealing correspondence, personal data, and contacts. The fact that the malware code was only marginally different from the original Telegram code allowed it topass security checks on Google Play.

In the case of WhatsApp, the malicious spyware dubbed Trojan-Spy.AndroidOS.CanesSpy was found within previously innocuous mods. The spy module embedded in the client manifest contains components, such as a service and broadcast receiver, that are absent from the official WhatsApp client.

Further analysis conducted Kaspersky revealed that Telegram served as the primary source for various channels distributing the spyware. The most popular of these channels had nearly two million subscribers, prompting Kaspersky to notify Telegram about the malware distribution.

So far, neither Telegram nor WhatsApp’s parent company, Meta, have responded to inquiries from Kaspersky or Dark Reading regarding this issue. However, both companies have previously expressed commitments to user privacy and security.

FAQs:

Q: What is spyware?

A: Spyware is malicious software that secretly gathers sensitive information from a user’s device without their knowledge or consent.

Q: What are WhatsApp mods?

A: WhatsApp mods are unofficial third-party applications that offer additional features beyond what is available in the official WhatsApp application.

Q: What should users do to protect themselves from these types of attacks?

A: Users should exercise caution when downloading and using unofficial versions of messaging apps. It is recommended to stick to the official app stores and regularly update applications to ensure the latest security patches are in place.

Q: How can users identify if their device is infected with spyware?

A: Indicators of spyware infection include unusual behavior of apps, decreased device performance, excessive data usage, and unexpected battery drain. If users suspect their device is compromised, they should use reputable antivirus software to scan for and remove any malicious software.