Unlike the original WhatsApp client, the trojanized versions included a service and broadcast receive that enabled spyware activation upon turning on or charging the Android devices where they are installed, according to a Kaspersky report.
After connecting to a command-and-control server, CanesSpy proceeds to deliver not only device information, such as IMEI, mobile number, and country code, but also contacts, accounts, and external storage-based files. All exfiltrated data sent to C2 servers were in Arabic, suggesting an Arabic-speaking threat actor behind the attacks, said researchers.
Such a development follows the recent string of messaging app exploitation for malware distribution.
"WhatsApp mods are mostly distributed through third-party Android app stores, which often lack screening and fail to take down malware. Some of these resources, such as third-party app stores and Telegram channels, enjoy considerable popularity, but that is no guarantee of safety," said Kaspersky researcher Dmitry Kalinin.