Skip to content

Malicious WhatsApp mod targets 5 Middle Eastern countries

  • by
  • 3 min read

A seemingly harmless WhatsApp mod has been found to contain a spy module identified as Trojan-Spy.AndroidOS.CanesSpy has targeted hundreds of thousands of devices in the Middle East since October.

The top five countries affected by these targeted attacks are Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt, with Azerbaijan contributing 45.64% of all infection attempts. Other countries outside the Middle East include the United States, Canada, Russia, France, Romania, and Germany, although their share is low.

Cybersecurity researchers from Kaspersky identified the compromised WhatsApp mod and analysed it further.

The researchers used a specific sample (80d7f95b7231cc857b331a993184499d) as an example to demonstrate how the spy module operates. It works by adding suspicious components to the client manifest of the trojanised WhatsApp mod. These components include a service and a broadcast receiver, which are not present in the original WhatsApp client.

The broadcast receiver listens for system and application broadcasts, triggering event handlers when specific events occur, such as phone charging or text messages received. In the compromised WhatsApp mod, the receiver launches the spy trojan when the phone is powered on or charging.

List of affected countries. | Source: Kaspersky

Once active, the service communicates with the command and control (C2C) server based on the Application_DM contact in the malware code. The spy module collects device information, including IMEI, network code, country code, and phone number, among others. This information is then sent to the threat actors’ servers.

The trojan also sends data about the victim’s contact list and accounts on the device every five minutes. The spy module continues communicating with the C2C server, requesting instructions at predefined intervals.

Distribution of WhatsApp spy mods

Kaspersky’s investigation revealed that the primary source for distributing these WhatsApp spy mods is Telegram, specifically channels originating from Arab and Azerbaijan regions.

Researchers found that some of these channels have a massive two million subscribers.

Kaspersky alerted Telegram about the presence of these channels and their association with malware distribution. The spy modules were found in multiple versions of the mods, indicating that the malware has been active since mid-August.

Telegram acts as a massive distribution channel for malicious WhatsApp mod. | Source: Kaspersky

Researchers also noted that the infected versions had been present on these channels up to October 20th, when at least one channel substituted a malware-free version of the mod.

Apart from Telegram, the compromised mods are distributed through various websites solely dedicated to WhatsApp mods.

As of now, researchers have thwarted over 340,000 attacks by WhatsApp spy mods between October 5 to October 31. However, they believe the number of installations might be much more due to the readily available distribution channel.

The researchers have urged users to go for the official WhatsApp version and uninstall the modded version promptly.

In the News: EU extends ban on Facebook and Instagram targeted ads

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: