Article Details
Scrape Timestamp (UTC): 2023-11-03 09:37:04.540
Source: https://thehackernews.com/2023/11/canesspy-spyware-discovered-in-modified.html
Original Article Text
Click to Toggle View
CanesSpy Spyware Discovered in Modified WhatsApp Versions. Cybersecurity researchers have unearthed a number of WhatsApp mods for Android that come fitted with a spyware module dubbed CanesSpy. These modified versions of the instant messaging app have been observed propagated via sketchy websites advertising such software as well as Telegram channels used primarily by Arabic and Azerbaijani speakers, one of which boasts 2 million users. "The trojanized client manifest contains suspicious components (a service and a broadcast receiver) that cannot be found in the original WhatsApp client," Kaspersky security researcher Dmitry Kalinin said. Specifically, the new additions are designed to activate the spyware module when the phone is switched on or starts charging. It subsequently proceeds to establish contact with a command-and-control (C2) server, followed by sending information about the compromised device, such as the IMEI, phone number, mobile country code, and mobile network code. CanesSpy also transmits details about the victim's contacts and accounts every five minutes, in addition to awaiting further instructions from the C2 server every minute, a setting that can be reconfigured. This includes sending files from external storage (e.g., removable SD card), contacts, recording sound from the microphone, sending data about the implant configuration, and altering the C2 servers. The fact that the messages sent to the C2 server are all in Arabic indicates that the developer behind the operation is an Arabic speaker. Further analysis of the operation shows that the spyware has been active since mid-August 2023, with the campaign primarily targeting Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt. The development marks the continued abuse of modified versions of messaging services like Telegram and WhatsApp to distribute malware to unsuspecting users. "WhatsApp mods are mostly distributed through third-party Android app stores, which often lack screening and fail to take down malware," Kalinin said. "Some of these resources, such as third-party app stores and Telegram channels, enjoy considerable popularity, but that is no guarantee of safety."
Daily Brief Summary
Cybersecurity researchers have discovered a spyware, called 'CanesSpy', integrated within modified versions of the WhatsApp Android application.
The fraudulent versions of WhatsApp are predominantly circulated through untrustworthy websites and Telegram channels, with most users being Arabic and Azerbaijani speakers.
CanesSpy activates when a victim's phone is turned on or starts charging, subsequently dispatching device information, including IMEI, phone number, mobile country code and mobile network code to a command-and-control (C2) server.
CanesSpy, believed to be developed by an Arabic speaker, also relays the victim's contact and account details every five minutes and can transmit a range of data from a victim's device on command by the C2 server.
Researchers believe the spyware has been active since mid-August 2023, primarily targeting users in Saudi Arabia, Yemen, Turkey, Egypt, and Azerbaijan.
The discovery highlights the ongoing exploitation of altered versions of messaging apps to distribute malware to unwary users.
Users are prompted to be cautious while downloading apps from third-party platforms due to their inadequate screening processes and failure to remove malware-laden applications.