Spyware Designed for Telegram Mods Also Targets WhatsApp Add-Ons

Kaspersky researchers have discovered that attackers are distributing spyware that stealthily gathers private data from users of WhatsApp on Android devices, through the same mods earlier discovered for the competing Telegram service.

In a bulletin posted on Nov. 2, Kaspersky counted 340,000 attempts at distributing the spyware via the WhatsApp mod.

Dmitry Kalinin, a Kaspersky security expert, believes the actual number of attempted attacks is greater. "If we consider the nature of the distribution channel, the real number of installations could be much higher," Kalinin explained in the bulletin.

While the attack reached users worldwide, 46% of the victims were in Azerbaijan. Other countries with a large percentage of victims include Yemen, Saudi Arabia, Egypt, and Turkey, primarily nations whose citizens speak Arabic.

WhatsApp mods, legitimate third-party applications designed to give the messaging application enhanced capabilities, have become a haven for malware. In recent years, attackers launched Triada, a mobile Trojan that downloads more malware, launches ads, and intercepts victims' messages. Kaspersky last year warned that Triada was proliferating on legitimate apps such as a spoofed version of the widely used YoWhatsApp.

Targeting Telegram Users

During the summer, Kaspersky warned of a rise in attackers injecting spyware into unofficial Telegram mods, targeting users in China. Kaspersky researcher Igor Golovin wrote in September that this spyware could steal a victim's correspondence, personal data and contacts. "And yet their code is only marginally different from the original Telegram code for smooth Google Play security checks," Golovin noted. Google subsequently removed the offending mods from its Google Play app store.

"It is the same story with WhatsApp now: several, previously harmless, mods were found to contain a spy module that we detect as Trojan-Spy.AndroidOS.CanesSpy," Kalinin now warns. Explaining how the spy module works, Kalinin notes that the Trojan-infected client manifest contains suspicious components, such as a service and a broadcast receiver, which isn't found in the original WhatsApp client.

Upon discovering the spyware in the WhatsApp mods, Kaspersky researchers' analysis showed that Telegram was the primary source in various channels. "Just the most popular of these had almost two million subscribers," Kalinin notes. "We alerted Telegram to the fact that the channels were used for spreading malware."

At the time of publishing, a Kaspersky spokesman says the company hasn't received a response from Telegram. Telegram also didn't respond to an inquiry from Dark Reading, though in an autoreply from its press bot, the company stated: "Telegram is committed to protecting user privacy and human rights such as freedom of speech and assembly. It has played a prominent role in pro-democracy movements around the world."

WhatsApp declined to comment on the specific spyware, but the company discourages the use of unofficial apps, which pose the risk of carrying malware that could breach customers’ privacy and security.