It is not rare that users of popular instant messaging services find the official client apps to be lacking in functionality. To address that problem, third-party developers come up with mods that offer sought-after features besides aesthetic upgrades. Unfortunately, some of these mods contain malware alongside legitimate enhancements. A case in point occurred last year when we discovered the Triada Trojan inside a WhatsApp mod. Recently, we described a Telegram mod with an embedded spy module, distributed through Google Play. It is the same story with WhatsApp now: several, previously harmless, mods were found to contain a spy module that we detect as Trojan-Spy.AndroidOS.CanesSpy.
How the spy module works
We will use the 80d7f95b7231cc857b331a993184499d sample to illustrate how spy modules operate.
The trojanized client manifest contains suspicious components (a service and a broadcast receiver) that cannot be found in the original WhatsApp client. A broadcast receiver listens for broadcasts from the system and other applications, such as phone starts charging, text message received, or downloader finishes downloading. When the receiver gets a message like that, it calls the event handler. In the WhatsApp spy mod, the receiver runs a service that launches the spy module when the phone is switched on or starts charging.
The ..
Support the originator by clicking the read the rest link below.