Hackers Spreading WhatsApp Spy Mods Via Telegram

WhatsApp does not officially support WhatsApp mods and can vary in popularity. Some users are attracted to them for extra features and customization options. 

However, using WhatsApp mods can expose users to security risks, as they are not subject to the same security checks as the official app. 

Hackers may exploit vulnerabilities in these mods to perform spy operations, such as:

  • Intercept messages
  • Access contacts
  • Distribute malware

Recently, cybersecurity researchers at Seurelist found previously safe mods containing a Trojan-Spy module identified as:-

  • Trojan-Spy.AndroidOS.CanesSpy

Technical analysis

The malicious WhatsApp mod has suspicious components, like a broadcast receiver, not found or present in the original program. Here, this receiver triggers a spy module when the phone is turned on or charging.

Suspicious app components (Source - Securelist)
Suspicious app components (Source – Securelist)

The service selects a C&C server via the Application_DM constant. It sends device info like IMEI, phone number, and more to the server. 

Besides this, every five minutes, the module also shares configuration details and the victim’s data.

Once device information is uploaded, the malware requests instructions (“orders”) from the C&C at set intervals, typically one minute.

The Arabic-language communications sent to the C&C server suggested that the developer spoke Arabic.

WhatsApp Spy ModsDistribution

Spy modules in WhatsApp mods led researchers to investigate their distribution. They traced it to Telegram channels, mainly in Arabic and Azeri languages. 

The largest channel had nearly two million subscribers, and analysts reported this to Telegram as a means of malware distribution.

WhatsApp spy mods distributed via Telegram
WhatsApp spy mods distributed via Telegram (Source – Securelist)

Researchers downloaded the latest mod versions from the channels and confirmed the spy module. 

They found the spyware in versions since mid-August 2023, but one channel later replaced it with a clean version around October 20.

Infected mods spread through Telegram channels and suspicious WhatsApp modification websites. 

Kaspersky blocked over 340,000 attacks in over 100 countries in October, but the actual installations could be higher due to the distribution channel.

WhatsApp mods are typically found on third-party Android app stores and Telegram channels, which may lack security measures. 

For data safety, always stick to official messaging apps. If you want extra features, consider using a trusted security solution to detect and block malware in mods.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.