It is not rare that users of popular instant messaging services find the official client apps to be lacking in functionality. To address that problem, third-party developers come up with mods that offer sought-after features besides aesthetic upgrades. Unfortunately, some of these mods contain malware alongside legitimate enhancements. A case in point occurred last year when we discovered the Triada Trojan inside a WhatsApp mod. Recently, we described a Telegram mod with an embedded spy module, distributed through Google Play. It is the same story with WhatsApp now: several, previously harmless, mods were found to contain a spy module that we detect as Trojan-Spy.AndroidOS.CanesSpy.
How the spy module works
We will use the 80d7f95b7231cc857b331a993184499d sample to illustrate how spy modules operate.
The trojanized client manifest contains suspicious components (a service and a broadcast receiver) that cannot be found in the original WhatsApp client. A broadcast receiver listens for broadcasts from the system and other applications, such as phone starts charging, text message received, or downloader finishes downloading. When the receiver gets a message like that, it calls the event handler. In the WhatsApp spy mod, the receiver runs a service that launches the spy module when the phone is switched on or starts charging.
Suspicious app components
The ..
Support the originator by clicking the read the rest link below.
