A malicious WhatsApp spy modification has been uncovered by Kaspersky researchers. The modification serves its intended purpose by enhancing user experience, it also clandestinely harvests personal information from its victims.
Users often turn to third-party mods for popular messaging apps to add extra features. However, some of these mods, while enhancing functionality, also come with hidden malware.
The modified WhatsApp client's manifest file includes suspicious components (a service and a broadcast receiver) not present in the original version. The receiver initiates a service, launching the spy module when the phone is powered on or charging.
Once activated, the malicious implant sends a request with device information to the attacker's server. This data covers IMEI, phone number, country and network codes, and more. It also transmits the victim's contacts and account details every five minutes, can set up microphone recordings and can exfiltrate files from external storage.