Malware, Threat Intelligence

New Spyware Using Messaging Apps to Harvest User Data


Newly-discovered WhatsApp spyware multiplying within the Telegram messenger is covertly hijacking personal information from its victims, a Kaspersky report said.

While the app modification is enhancing user experience through extra features, such as scheduled messages and customizable options, it is simultaneously harvested a trove of user information based on hundreds of thousands of downloads, perhaps as many as 340,000 in October alone, Kaspersky said.

The malware predominantly targets users who communicate in Arabic and Azeri, though victims have been identified globally, according to the security provider. Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt witnessed the highest attack rates. While the preference leans towards Arabic and Azerbaijani-speaking users, the malware has also impacted individuals from the U.S., U.K., Germany, Russia and elsewhere.

"People naturally trust apps from highly followed sources, but fraudsters exploit this trust," said Dmitry Kalinin, security expert at Kaspersky. "The spread of malicious mods through popular third-party platforms highlights the importance of using official instant messaging (IM) clients. For robust personal data protection, always download apps from official app stores or official websites."

Attack Tactics Examined

Here’s how the modified client works:

  • The modified WhatsApp client's manifest file includes suspicious components (a service and a broadcast receiver) not present in the original version.
  • The receiver initiates a service, launching the spy module when the phone is powered on or charging.
  • Once activated, the malicious implant sends a request with device information to the attacker's server.
  • This data covers IMEI, phone number, country and network codes, and more. It also transmits the victim's contacts and account details every five minutes, can set up microphone recordings and can exfiltrate files from external storage.

Protecting Your Organization

To stay safe from infection, Kaspersky recommends:

  • Use Official Marketplaces. Download apps and software from reputable and official sources. Avoid third-party app stores, as the risk that they may host malicious or compromised apps is higher.
  • Use reputable security software. Install and maintain reputable antivirus and anti-malware software on your devices. Regularly scan your devices for potential threats and keep your security software up to date.
  • Educate yourself about common scams. Stay informed about the latest cyber threats, techniques, and tactics. Be cautious of unsolicited requests, suspicious offers, or urgent demands for personal or financial information.
  • Third-party software from popular sources often comes with zero warranty. Keep in mind that such apps can contain malicious implants, e. g. because of supply chain attacks.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.