Unknown hackers are targeting Arabic-speaking WhatsApp users in Saudi Arabia, Yemen, and cwith a spyware campaign. Researchers at Kaspersky have identified previously benign WhatsApp mods that have been injected with malicious code, enabling spying on Android users in these regions.
This campaign, which began in mid-August 2023, distributed the compromised mods primarily through Telegram channels, resulting in over 340,000 attacks thwarted by Kaspersky in October across more than a hundred countries. Notably, the countries with the highest number of installations of the WhatsApp spyware were Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt.
In addition to Telegram channels, these infected mods are also circulated through suspicious websites dedicated to third-party versions of WhatsApp. It’s important to note that WhatsApp, owned by Meta, warns users that modified app versions violate its terms of service. The spyware-laden mods include a component that collects technical information from the device, such as when the phone starts charging, receives a text message, or completes a download.
When the phone is powered on or begins charging, the spy module activates on the device, potentially granting access to the victim’s phone number, mobile country code, mobile network code, data upload paths, contact details, and account information, which is transmitted every five minutes.
Kaspersky researchers have observed a growing trend of instant messaging app mods containing malware code, with a prior discovery of a Telegram mod with an embedded spy module distributed through Google Play and the identification of the Triada Trojan inside a WhatsApp mod last year. To safeguard against such attacks, researchers recommend using official downloads exclusively, as user-created mods can pose significant security risks.
