Several WhatsApp mods for Android have been used by threat actors to facilitate the deployment of the CanesSpy spyware, The Hacker News reports.
Unlike the original WhatsApp client, the trojanized versions included a service and broadcast receive that enabled spyware activation upon turning on or charging the Android devices where they are installed, according to a Kaspersky report.
After connecting to a command-and-control server, CanesSpy proceeds to deliver not only device information, such as IMEI, mobile number, and country code, but also contacts, accounts, and external storage-based files. All exfiltrated data sent to C2 servers were in Arabic, suggesting an Arabic-speaking threat actor behind the attacks, said researchers.
Such a development follows the recent string of messaging app exploitation for malware distribution.
"WhatsApp mods are mostly distributed through third-party Android app stores, which often lack screening and fail to take down malware. Some of these resources, such as third-party app stores and Telegram channels, enjoy considerable popularity, but that is no guarantee of safety," said Kaspersky researcher Dmitry Kalinin.