A new malicious WhatsApp spy mod that thrives inside Telegram and has recorded over 340,000 in a month, is fast spreading on the two popular messaging apps, tech security firm Kaspersky has alerted.
Kaspersky researchers recently uncovered the malware that serves its intended purpose by extending user experience, but “also clandestinely harvests personal information from its victims,” according to a statement made available to Technology Times by the tech security firm.
“With an extensive reach surpassing 340,000 in just one month,” Kaspersky says, “this malware predominantly targets users who communicate in Arabic and Azeri, though victims have been identified globally. Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt witnessed the highest attack rates.”
While users often turn to third-party mods for popular messaging apps to add extra features, the tech security firm says that “some of these mods, while enhancing functionality, also come with hidden malware.”
Kaspersky says it has identified a new WhatsApp mod offering not only additions like scheduled messages and customisable options, but it also contains a malicious spyware module.
Kaspersky researchers say that “the modified WhatsApp client’s manifest file includes suspicious components (a service and a broadcast receiver) not present in the original version. The receiver initiates a service, launching the spy module when the phone is powered on or charging. Once activated, the malicious implant sends a request with device information to the attacker’s server.”
They explain that “this data covers IMEI, phone number, country and network codes, and more. It also transmits victim’s contacts and account details every five minutes; it is also able to set up microphone recordings and exfiltrate files from external storage.”
The malicious version found its way through popular Telegram channels, the researchers found out, predominantly targeting Arabic and Azeri speakers, with some of these channels boasting nearly two million subscribers.
“Kaspersky researchers alerted Telegram about the issue. Kaspersky’s telemetry identified over 340,000 attacks involving this mod just in October. This threat emerged relatively recently, becoming active in mid-August 2023,” according to the tech security firm.
Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt are the top 5 countries with the highest attack rates. While the preference leans towards Arabic and Azerbaijani-speaking users, it also impacts users from around the world.
“People naturally trust apps from highly followed sources, but fraudsters exploit this trust. The spread of malicious mods through popular third-party platforms highlights the importance of using official IM clients. However, if you need some extra features not presented in the original client, you should consider employing a reputable security solution before installing third-party software, as it will protect your data from being compromised. For robust personal data protection, always download apps from official app stores or official websites,” comments Dmitry Kalinin, security expert at Kaspersky.
WhatsApp mod malware: How to stay safe
To stay safe, Kaspersky experts recommend that users should take the following precautions:
- Use Official Marketplaces: Download apps and software from reputable and official sources. Avoid third-party app stores, as the risk they may host malicious or compromised apps is higher.
- Use reputable security software: Install and maintain reputable antivirus and anti-malware software on your devices. Regularly scan your devices for potential threats and keep your security software up to date.
- Educate yourself about common scams: Stay informed about the latest cyber threats, techniques, and tactics. Be cautious of unsolicited requests, suspicious offers, or urgent demands for personal or financial information.
- Third-party software from popular sources often comes with zero warranty. Keep in mind that such apps can contain malicious implants, e. g. because of supply chain attacks.
Editor’s Note: The headline of the article read that 430,000 monthly attacks were recorded instaed of 340,000 monthly attacks. This has been updated to reflect the correct figure after this was brought to our attention.