Spyware Designed for Telegram Mods Also Targets WhatsApp Add-Ons

Researchers discovered spyware designed to steal from Android devices and from Telegram mods can also reach WhatsApp users.

Kaspersky researchers have discovered that attackers are distributing spyware that stealthily gathers private data from users of WhatsApp on Android devices, through the same mods earlier discovered for the competing Telegram service.
In a
bulletin posted on Nov. 2
, Kaspersky counted 340,000 attempts at distributing the spyware via the WhatsApp mod.
Dmitry Kalinin, a Kaspersky security expert, believes the actual number of attempted attacks is greater. If we consider the nature of the distribution channel, the real number of installations could be much higher, Kalinin explained in the bulletin.
While the attack reached users worldwide, 46% of the victims were in Azerbaijan. Other countries with a large percentage of victims include Yemen, Saudi Arabia, Egypt, and Turkey, primarily nations whose citizens speak Arabic.
WhatsApp mods, legitimate third-party applications designed to give the messaging application enhanced capabilities, have become a haven for malware. In
recent years
, attackers launched Triada, a mobile Trojan that downloads more malware, launches ads, and intercepts victims messages. Kaspersky
last year warned
that Triada was proliferating on legitimate apps such as a spoofed version of the widely used YoWhatsApp.
During the summer, Kaspersky warned of a rise in attackers injecting spyware into unofficial Telegram mods, targeting users in China. Kaspersky researcher Igor Golovin
wrote in September
that this spyware could steal a victims correspondence, personal data and contacts. And yet their code is only marginally different from the original Telegram code for smooth Google Play security checks, Golovin noted. Google subsequently removed the offending mods from its Google Play app store.
It is the same story with WhatsApp now: several, previously harmless, mods were found to contain a spy module that we detect as Trojan-Spy.AndroidOS.CanesSpy, Kalinin now warns. Explaining how the spy module works, Kalinin notes that the Trojan-infected client manifest contains suspicious components, such as a service and a broadcast receiver, which isnt found in the original WhatsApp client.
Upon discovering the spyware in the WhatsApp mods, Kaspersky researchers analysis showed that Telegram was the primary source in various channels. Just the most popular of these had almost two million subscribers, Kalinin notes. We alerted Telegram to the fact that the channels were used for spreading malware.
At the time of publishing, a Kaspersky spokesman says the company hasnt received a response from Telegram. Telegram also didnt respond to an inquiry from Dark Reading, though in an autoreply from its press bot, the company stated: Telegram is committed to protecting user privacy and human rights such as freedom of speech and assembly. It has played a prominent role in pro-democracy movements around the world.
WhatsApp declined to comment on the specific spyware, but the company
discourages the use of unofficial apps
, which pose the risk of carrying malware that could breach customers’ privacy and security.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Spyware Designed for Telegram Mods Also Targets WhatsApp Add-Ons