In a concerning development, cybersecurity researchers have recently uncovered modified versions of WhatsApp for Android, equipped with a spyware module named CanesSpy. These modified WhatsApp applications are being distributed through dubious websites advertising these modded versions and via Telegram channels predominantly used by Arabic and Azerbaijani speakers, one of which boasts a user base of two million individuals. This article explores the discovery, functionality, and potential implications of CanesSpy, emphasizing the risks to user privacy and device security.
The CanesSpy Spyware:
The CanesSpy spyware, concealed within these rogue WhatsApp mods, is designed to activate when the infected phone is powered on or connected to a charger. Once activated, it initiates contact with a command-and-control (C2) server, transmitting vital information about the compromised device. This includes details like the IMEI, phone number, mobile country code, and mobile network code. CanesSpy goes further by sending information about the victim’s contacts and accounts every five minutes and awaiting further instructions from the C2 server every minute. Importantly, this spyware module is highly configurable, allowing for actions like sending files from external storage, recording sound from the microphone, altering C2 server settings, and more.
An intriguing aspect of this discovery is that all the communication between CanesSpy and the C2 server is conducted in Arabic. This linguistic clue suggests that the mastermind behind this operation is likely an Arabic speaker.
Duration and Targets:
Cybersecurity researchers have determined that CanesSpy has been active since mid-August 2023. The spyware campaign has predominantly targeted users in countries such as Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt. This highlights the geographical focus of the espionage campaign.
WhatsApp has been unequivocal about unofficial and third-party versions of its app, cautioning users that they are treated as unofficial and fake. The company emphasizes that it cannot validate the security practices of these versions and warns that using them may expose users to the risk of malware compromising their privacy and security.
A Continuing Threat:
This discovery underscores the persistent abuse of modified messaging apps like WhatsApp and Telegram to distribute malware to unsuspecting users. Notably, last year, WhatsApp, owned by Meta, filed a lawsuit against three developers in China and Taiwan for distributing unofficial WhatsApp apps, including HeyMods, which resulted in the compromise of over one million user accounts.
The Need for Caution:
It’s crucial for users to exercise caution and prioritize their privacy and security. WhatsApp mods are primarily distributed through third-party Android app stores that often lack rigorous screening and may not promptly remove malware. While some of these resources, such as third-party app stores and Telegram channels, are popular, popularity does not guarantee safety. Users should be aware of the risks associated with using unofficial and modified versions of messaging apps.
The discovery of CanesSpy spyware hidden within modified WhatsApp versions serves as a stark reminder of the ongoing threats to user privacy and digital security. To stay protected, users are strongly advised to use only official versions of messaging apps, exercise caution when downloading from unofficial sources, and prioritize security practices that shield their digital lives from potential threats.