International. Kaspersky researchers announced the discovery of a new malicious mod to spy on WhatsApp that proliferates within the other popular messaging system: Telegram, due to a modification that seeks to improve the user experience.
However, this modification also clandestinely collects personal information from its victims. With a wide reach exceeding 340,000 downloads in just one month, this malware primarily targets users communicating in Arabic and Azerbaijani, although victims have been identified worldwide.
Users often turn to third-party mods for popular messaging apps to add extra features. However, some of these modifications, while improving functionality, also come with hidden malware. Kaspersky has identified a new WhatsApp mod that offers not only add-ons, such as scheduled messages and customizable options, but also a malicious spyware module.
The modified WhatsApp client manifest file includes suspicious components (a service and a streaming receiver) that are not present in the original version. The receiver initiates a service, starting the spy module when the phone is turned on or charging. Once activated, the malicious implant sends a request with device information to the attacker's server. This data covers IMEI, phone number, country and network codes, and more. It also transmits the victim's contacts and account details every five minutes, can set up microphone recordings, and can extract files from external storage.
The malicious version came through popular Telegram channels, mainly targeting Arabic and Azerbaijani speakers, and some of these channels boast nearly two million subscribers. Kaspersky's telemetry identified more than 340,000 attacks related to this mod in October alone. This threat emerged relatively recently and became active in mid-August 2023. Kaspersky researchers alerted Telegram to the issue.
Azerbaijan, Saudi Arabia, Yemen, Turkey and Egypt witnessed the highest attack rates. While the preference leans towards Arabic-speaking and Azerbaijani-speaking users, the malware has also affected people from the US, UK, Germany, Russia, and elsewhere.
Kaspersky products detect the Trojan with the following verdict: Trojan-Spy.AndroidOS.CanesSpy.