Keypoints
- The trojanized WhatsApp mods include additional components (a broadcast receiver and a service) absent from the official client that provide automatic launch and persistence.
- On activation (boot or when charging) the receiver starts a service which chooses a C2 server using an internal constant and posts device identifiers to /api/v1/AllRequest.
- The implant regularly requests configuration and āordersā from the C2 (default one-minute interval) and exfiltrates contacts and account data every five minutes.
- Supported commands enable listing external-storage file paths, selective file retrieval, uploading files as ZIP archives, changing C2 servers, and recording microphone audio via the RecordSound command.
- Distribution was traced mainly to Telegram channels (Arabic/Azeri) and multiple thirdāparty WhatsApp mod websites; infected builds date from midāAugust 2023 onward.
- Kaspersky published MD5 hashes of infected APKs and a list of C2 domains and distributing websites to aid detection and takedown efforts.
MITRE Techniques
- [T1547] Boot or Logon Autostart Execution ā the broadcast receiver triggers a service that launches the spy module on phone startup or when charging. [āthe receiver runs a service that launches the spy module when the phone is switched on or starts charging.ā]
- [T1071] Application Layer Protocol ā the implant uses HTTP POST requests to communicate with C2 endpoints (e.g., /api/v1/AllRequest) to send device info and receive commands. [āit sends a POST request containing information about the device to the threat operatorās server along the path /api/v1/AllRequest.ā]
- [T1041] Exfiltration Over C2 Channel ā files and data (contacts/accounts, external-storage files zipped) are uploaded to C2 paths like /api/v1/UploadFileWithContinue. [āSend a file from external storage (non-system memory or a removable medium, such as an SD card) as a ZIP archiveā]
- [T1083] File and Directory Discovery ā the malware enumerates external storage and returns file paths and names to the C2 (GetAllFileList / SaveFileNames). [āSend paths to all files in the external storageā]
- [T1123] Audio Capture ā the RecordSound command captures audio from the microphone and uploads it via /api/v1/UploadSmallFile. [āRecord sound from the microphoneā]
Indicators of Compromise
- [MD5 hashes] Infected APKs ā 1db5c057a441b10b915dbb14bba99e72, 80d7f95b7231cc857b331a993184499d, and 4 more hashes
- [C2 domains] Command-and-control servers ā hxxps://application-marketing[.]com, hxxps://whatsupdates[.]com, and other listed C2 domains
- [Distribution websites] Sites hosting trojanized mods ā hxxps://whatsagold[.]app, hxxps://watsabplusgold[.]com, and additional mod sites
The trojanized WhatsApp mods add a broadcast receiver and service into the APK manifest to achieve persistence and automatic activation: the receiver listens for system broadcasts (boot/charging) and launches the service which loads the spy module. At startup the implant selects a commandāandācontrol server via an internal constant and immediately issues an HTTP POST to /api/v1/AllRequest to upload device identifiers (IMEI, phone number, MCC/MNC) and to request configuration such as upload paths and polling intervals.
The implant polls the C2 for āordersā (default every minute) and implements commands that enumerate external storage (GetAllFileList ā /api/v1/SaveFileNames), filter and collect specific file types, compress and upload files as ZIP archives (/api/v1/UploadFileWithContinue), change the main C2 server, and capture audio via a RecordSound command uploaded to /api/v1/UploadSmallFile. Contacts and account information are transmitted at fiveāminute intervals, and the module supports SQLāstyle filters for selective file access when calling Androidās ContentResolver.
Researchers traced distribution mainly to Telegram channels and several thirdāparty WhatsApp mod websites, analyzed APK timestamps to identify the first infected builds (midāAugust 2023 onward), and published MD5s plus C2/domain indicators to help detection and blocking. Operators and defenders can prioritize scanning for the listed MD5s, network requests to /api/v1/* paths, and unexpected manifest components (broadcast receiver/service) in WhatsApp APKs to detect this implant.
Read more: https://securelist.com/spyware-whatsapp-mod/110984/