Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific

Spyware Designed for Telegram Mods Also Targets WhatsApp Add-Ons

Researchers discovered spyware designed to steal from Android devices and from Telegram mods can also reach WhatsApp users.

2 Min Read
WhatsApp on a mobile device with the end to end secure message displayed
Source: Lenscap via Alamy Stock Photo

Kaspersky researchers have discovered that attackers are distributing spyware that stealthily gathers private data from users of WhatsApp on Android devices, through the same mods earlier discovered for the competing Telegram service.

In a bulletin posted on Nov. 2, Kaspersky counted 340,000 attempts at distributing the spyware via the WhatsApp mod.

Dmitry Kalinin, a Kaspersky security expert, believes the actual number of attempted attacks is greater. "If we consider the nature of the distribution channel, the real number of installations could be much higher," Kalinin explained in the bulletin.

While the attack reached users worldwide, 46% of the victims were in Azerbaijan. Other countries with a large percentage of victims include Yemen, Saudi Arabia, Egypt, and Turkey, primarily nations whose citizens speak Arabic.

WhatsApp mods, legitimate third-party applications designed to give the messaging application enhanced capabilities, have become a haven for malware. In recent years, attackers launched Triada, a mobile Trojan that downloads more malware, launches ads, and intercepts victims' messages. Kaspersky last year warned that Triada was proliferating on legitimate apps such as a spoofed version of the widely used YoWhatsApp.

Targeting Telegram Users

During the summer, Kaspersky warned of a rise in attackers injecting spyware into unofficial Telegram mods, targeting users in China. Kaspersky researcher Igor Golovin wrote in September that this spyware could steal a victim's correspondence, personal data and contacts. "And yet their code is only marginally different from the original Telegram code for smooth Google Play security checks," Golovin noted. Google subsequently removed the offending mods from its Google Play app store.

"It is the same story with WhatsApp now: several, previously harmless, mods were found to contain a spy module that we detect as Trojan-Spy.AndroidOS.CanesSpy," Kalinin now warns. Explaining how the spy module works, Kalinin notes that the Trojan-infected client manifest contains suspicious components, such as a service and a broadcast receiver, which isn't found in the original WhatsApp client.

Upon discovering the spyware in the WhatsApp mods, Kaspersky researchers' analysis showed that Telegram was the primary source in various channels. "Just the most popular of these had almost two million subscribers," Kalinin notes. "We alerted Telegram to the fact that the channels were used for spreading malware."

At the time of publishing, a Kaspersky spokesman says the company hasn't received a response from Telegram. Telegram also didn't respond to an inquiry from Dark Reading, though in an autoreply from its press bot, the company stated: "Telegram is committed to protecting user privacy and human rights such as freedom of speech and assembly. It has played a prominent role in pro-democracy movements around the world."

WhatsApp declined to comment on the specific spyware, but the company discourages the use of unofficial apps, which pose the risk of carrying malware that could breach customers’ privacy and security.

About the Author

Jeffrey Schwartz, Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights