{"id":22072,"date":"2023-11-16T08:47:20","date_gmt":"2023-11-16T13:47:20","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=22072"},"modified":"2023-11-24T20:37:15","modified_gmt":"2023-11-24T16:37:15","slug":"whatsapp-mods-canesspy","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/whatsapp-mods-canesspy\/22072\/","title":{"rendered":"WhatsApp mods with spyware"},"content":{"rendered":"

Over the past decade, messaging apps such as WhatsApp and Telegram have become an integral part of life for almost every internet user. Billions of people use them to chat with loved ones, share funny pictures and videos with friends, communicate with coworkers, catch up on the news, and so on. Just try to imagine modern life without messengers. Hard, isn\u2019t it? Unfortunately, these indispensable apps sometimes contain hidden threats.<\/p>\n

WhatsApp and Telegram mods: the whats and whys<\/h2>\n

\nSome people think that the official WhatsApp and Telegram apps lack functionality \u2014 be that additional options to customize the interface or something more specific; for example, the ability to hide chats, automatically translate messages, or view messages deleted by chat partners. And the list of \u201cmissing\u201d features is a very long one.<\/p>\n

Third-party developers create modifications<\/em>, or mods<\/em> of standard WhatsApp and Telegram apps to satisfy even the most peculiar user needs, and there are a great many such mods.<\/p>\n

The problem with installing any of them is that the user must entrust their correspondence not only to the original messenger developers but also to the mod developers, who can easily hide malicious modules in them; mod distributors can also add something of their own.<\/p>\n

In the case of WhatsApp, the situation with mods is further complicated by its owners. They don\u2019t approve of modifications and so hinder their distribution. From time to time, WhatsApp\u2019s owners try to prohibit folks from using mods<\/a> \u2014 albeit unsuccessfully thus far. Meanwhile they have had some success in barring alternative clients for WhatsApp from the official stores like Google Play and App Store.<\/p>\n

As a consequence, users of WhatsApp mods are accustomed to downloading them from just about anywhere. APK files are boldly downloaded, settings are switched to allow installation from unknown sources<\/a>, and mods are then run on phones. And cybercriminals exploit this carelessness by embedding malware in the mods.<\/p>\n

Our experts recently found<\/a> several such infected mods, which we\u2019ll take a look at in this post.<\/p>\n\n

Infected WhatsApp mods on Telegram<\/h2>\n

\nThe WhatsApp mods that caught our experts\u2019 attention hadn\u2019t previously shown any malicious activity. Now, however, they contain a spy module, which our security solutions<\/a> detect as Trojan-Spy.AndroidOS.CanesSpy.<\/p>\n

After installation on the victim\u2019s smartphone, an infected WhatsApp mod waits for the phone to be turned on or put on charge before launching the spy module. It contacts one of the C2 servers from the respective list and uploads various information about the device to it, such as phone number, IMEI, cellular network code, and so on. What\u2019s more, the spy Trojan sends information about the victim\u2019s contacts and accounts to the server every five minutes, all the while waiting for commands.<\/p>\n

Leaving service commands aside, the spy module\u2019s capabilities are essentially reduced to two functions:<\/p>\n