Researchers at Kaspersky have recently uncovered a concerning trend in which attackers are distributing spyware through modified versions of WhatsApp for Android. These modified apps [3] [5] [6], known as WhatsApp mods, are created by third-party developers or users to add new features or customize the app [1]. However, these seemingly harmless modifications actually contain a spyware module called CanesSpy, posing a significant security risk to Android users.
Description
CanesSpy is activated when the infected phone is turned on or starts charging [3], establishing contact with a command and control server [3] [6]. It collects various information about the compromised device [3] [5], including the IMEI, phone number [3] [4], and network codes [3] [4]. The spyware utilizes suspicious components in the trojanized client manifest to monitor system and application events [2], such as phone charging and text messages [2]. Once activated [2] [4], it transmits device information and uploads data on the victim’s contacts and accounts every five minutes [2] [6]. Additionally, the spy module checks a command and control server for instructions and executes them at pre-configured intervals [2].
This spyware [1] [2] [3] [4] [5] [6] [7] [8] [9], known as Trojan-Spy.AndroidOS.CanesSpy [2], has been active since mid-August 2023 and primarily targets Arabic and Azeri-speaking users. It has been downloaded over 340,000 times in just one month and has affected users globally. In addition to collecting device information, contacts [2] [3] [4] [5] [6] [9], and account details [9], the spyware can also record microphone audio and extract files from external storage [9]. The modified WhatsApp mod was found in popular Telegram channels and has had the highest attack rates in Azerbaijan [9], Saudi Arabia [3] [4] [5] [7] [9], Yemen [3] [4] [5] [7] [9], Turkey [3] [4] [5] [7] [9], and Egypt [3] [4] [5] [9]. Kaspersky Lab has intercepted over 340,000 attacks related to this WhatsApp spy mod across more than a hundred countries [2].
Conclusion
The distribution of malware through modified messaging apps is a growing concern. The CanesSpy spyware poses a significant threat to Android users, compromising their privacy and security. To mitigate this risk, it is strongly advised against using unofficial versions of WhatsApp and other messaging apps. Instead, users should opt for official instant messaging clients and rely on reliable security solutions to detect and block such threats. The impact of this spyware has been widespread, affecting users globally and highlighting the need for increased vigilance and awareness of potential security risks in the digital landscape.
References
[1] https://allinfosecnews.com/item/multiple-whatsapp-mods-spotted-containing-the-canesspy-spyware-2023-11-03/
[2] https://www.infosecurity-magazine.com/news/spy-module-whatsapp-mods/
[3] https://www.redpacketsecurity.com/canesspy-spyware-discovered-in-modified-whatsapp-versions/
[4] https://www.cyclonis.com/canesspy-malware-included-in-modified-apps/
[5] https://thehackernews.com/2023/11/canesspy-spyware-discovered-in-modified.html
[6] https://securityonline.info/kaspersky-uncovers-canesspy-espionage-in-whatsapp-mods/
[7] https://www.darkreading.com/dr-global/spyware-designed-for-telegram-mods-also-targets-whatsapp-add-ons
[8] https://cyber.vumetric.com/security-news/2023/11/03/canesspy-spyware-discovered-in-modified-whatsapp-versions/
[9] https://www.prnewswire.com/news-releases/kaspersky-reports-more-than-340-000-attacks-with-new-malicious-whatsapp-mod-301976192.html
