CanesSpy Malware Included in Modified Apps
A group of cybersecurity experts has discovered several modified versions of WhatsApp for Android that include a spyware component named CanesSpy. These altered versions of the popular messaging app have been found to be distributed through questionable websites advertising such software, as well as Telegram channels mainly used by Arabic and Azerbaijani speakers, one of which has a user base of 2 million people.
The researchers have identified suspicious elements in the modified client's code, specifically a service and a broadcast receiver, which are not present in the original WhatsApp client. These additions are specifically designed to activate the spyware module when the phone is powered on or when it begins charging.
CanesSpy's Mode of Operation
Upon activation, the spyware establishes a connection with a command-and-control (C2) server and proceeds to send information about the compromised device, including the IMEI, phone number, mobile country code, and mobile network code. CanesSpy also periodically sends data about the victim's contacts and accounts every five minutes, in addition to waiting for further instructions from the C2 server every minute, a setting that can be customized.
The spyware is also capable of sending files from external storage (e.g., a removable SD card), recording audio from the device's microphone, transmitting data about the spyware's configuration, and modifying the C2 server details. The fact that the communications with the C2 server are all in Arabic suggests that the developer responsible for this operation is likely an Arabic speaker.
Further analysis reveals that this spyware campaign has been active since mid-August 2023 and has primarily targeted countries such as Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt.