Cybersecurity researchers have unearthed a number of WhatsApp mods for Android that come fitted with a spyware module dubbed CanesSpy.
These modified versions of the instant messaging app have been observed propagated via sketchy websites advertising such modded software as well as Telegram channels used primarily by Arabic and Azerbaijani speakers, one of which boasts of two million users.
“The trojanized client manifest contains suspicious components (a service and a broadcast receiver) that cannot be found in the original WhatsApp client,” Kaspersky security researcher Dmitry Kalinin said.
Specifically, the new additions are designed to activate the spyware module when the phone is switched on or starts charging.
It subsequently proceeds to establish contact with a command-and-control (C2) server, followed by sending information about the compromised device, such as the IMEI, phone number, mobile country code, and mobile network code.
CanesSpy also transmits details about the victim’s contacts and accounts every five minutes, in addition to awaiting further instructions from the C2 server every minute, a setting that can be reconfigured.
This includes sending files from external storage (e.g., removable SD card), contacts, recording sound from the microphone, sending data about the implant configuration, and altering the C2 servers.
The fact that the messages sent to the C2 server are all in Arabic indicates that the developer behind the operation is an Arabic speaker.
Further analysis of the operation shows that the spyware has been active since mid-August 2023, with the campaign primarily targeting Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt.
WhatsApp, for its part, treats unofficial and third-party versions as fake, cautioning that “we can’t validate their security practices” and that using them may pose the risk of carrying malware that could breach customers’ privacy and security.
Last year, the Meta-owned company also filed a lawsuit against three developers in China and Taiwan for distributing unofficial WhatsApp apps, including HeyMods, that resulted in the compromise of over one million user accounts.
“WhatsApp mods are mostly distributed through third-party Android app stores, which often lack screening and fail to take down malware,” Kalinin said. “Some of these resources, such as third-party app stores and Telegram channels, enjoy considerable popularity, but that is no guarantee of safety.”