Arabic-speaking WhatsApp users targeted with spyware
Unknown hackers are targeting users in Saudi Arabia, Yemen and Azerbaijan with spying malware distributed through user-created WhatsApp mods that customize or add new features to the service.
In the latest campaign, researchers at the cybersecurity firm Kaspersky discovered previously harmless WhatsApp mods that had been injected with malicious code designed to spy on Android users in Arabic and Azeri-speaking countries.
These mods have been active since mid-August 2023 and were mostly distributed through several Telegram channels with thousands of subscribers. Kaspersky said it thwarted over 340,000 attacks in October by the new WhatsApp spyware across more than a hundred countries, with the highest number of installations in Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt.
Besides the Telegram channels, the infected mods are distributed through various “dubious” websites dedicated to third-party versions of WhatsApp, the researchers said. WhatsApp, which is owned by Meta, warns users that modified versions of the app violate its terms of service.
The mods contain a component that can receive technical information from the device, such as when the phone starts charging, when a text message is received or when a download is completed. If the phone is switched on or begins charging, the mod can activate the spy module on the device.
The information that the hackers can obtain by running this spy module includes the victim’s phone number, mobile country code, mobile network code, as well as paths for uploading various types of data. Additionally, the module transmits information about the victim's contacts and accounts every five minutes.
Kaspersky researchers said that they’ve seen an increase in the number of instant messaging app mods that contain malware code. In September, they found a Telegram mod with an embedded spy module, distributed through Google Play. Last year, they discovered the Triada Trojan inside a WhatsApp mod.
To avoid falling victim to these attacks, researchers recommend using official downloads only.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.