CyberSecurity news

FlagThis - #whatsapp

Pierluigi Paganini@securityaffairs.com //
A new cybersecurity threat has emerged, with cheap Chinese Android phones being shipped with pre-installed malware disguised as popular messaging apps like WhatsApp and Telegram. These trojanized applications contain cryptocurrency clippers, malicious programs designed to replace copied wallet addresses with those controlled by the attackers. This allows the theft of cryptocurrency during transactions without the user's knowledge. The campaign, active since June 2024, targets low-end devices, often mimicking premium brands like Samsung and Huawei, with models such as "S23 Ultra," "Note 13 Pro," and "P70 Ultra." At least four of the affected models are manufactured under the SHOWJI brand.

These counterfeit phones often spoof their technical specifications, falsely displaying that they are running the latest Android version and have improved hardware to avoid detection. According to researchers at Doctor Web, the infected devices ship with modified versions of WhatsApp that operate as clippers. These malicious programs quietly swap out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat. Victims remain unaware as the malware displays the correct wallet address on the sender’s screen but delivers the wrong one to the receiver, and vice versa, until the money disappears.

The attackers have expanded their reach beyond WhatsApp and Telegram, with researchers identifying nearly 40 fake applications, including crypto wallets like Trust Wallet and MathWallet, and even QR code readers. The malware is injected using a tool called LSPatch, allowing modifications without altering the core app code, which helps evade detection and survive updates. Doctor Web reports that the malware hijacks the app update process to retrieve an APK file from a server under the attacker's control and searches for strings in chat conversations that match cryptocurrency wallet address patterns.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp
  • securityaffairs.com: Chinese Android phones shipped with malware-laced WhatsApp, Telegram apps
  • The Hacker News: Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp
Classification:
@Talkback Resources //
A critical spoofing vulnerability, identified as CVE-2025-30401, has been discovered in WhatsApp for Windows. Meta, the parent company of WhatsApp, has released a security update to address this flaw, which impacts versions prior to 2.2450.6. The vulnerability could allow attackers to trick users and enable remote code execution on their devices. Users of WhatsApp for Windows are strongly advised to update to the latest version immediately to mitigate the risk. This issue arises from a discrepancy in how WhatsApp handles file attachments, specifically the mismatch between the MIME type and file extension handling.

The exploit mechanism involves attackers sending maliciously crafted files with altered file types to potential targets. The WhatsApp application displays attachments based on their MIME type but selects the file opening handler based on the attachment's filename extension. This allows an attacker to craft a malicious file that appears harmless, such as an image, but when opened, executes arbitrary code. The spoofing technique takes advantage of the discrepancy between MIME type and file extension handling, allowing attackers to execute arbitrary code on the victim’s system.

The discovery of CVE-2025-30401 has raised concerns within the cybersecurity community, highlighting the importance of maintaining robust security practices in widely-used applications. While Meta has not reported any exploitation of this vulnerability in the wild, vulnerabilities in messaging applications like WhatsApp are frequently targeted by malicious actors. The impact of a successful exploit could include unauthorized system access and data theft, posing significant risks to users. To ensure protection, users should promptly update their WhatsApp for Windows application to version 2.2450.6 or later.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • securityaffairs.com: WhatsApp fixed a spoofing flaw that could enable Remote Code Execution
  • Talkback Resources: WhatsApp Vulnerability Could Facilitate Remote Code Execution [app] [exp]
  • The DefendOps Diaries: Understanding the WhatsApp for Windows Vulnerability: CVE-2025-30401
  • BleepingComputer: Meta warned Windows users to update the WhatsApp messaging app to the latest version to patch a vulnerability that can let attackers execute malicious code on their devices.
  • hackread.com: WhatsApp for Windows Flaw Could Let Hackers Sneak In Malicious Files
  • infosec.exchange: vulnerability CVE-2025-30401 impacting all WhatsApp versions can let attackers execute malicious code on your devices. The flaw can be exploited by attackers by sending maliciously crafted files with altered file types to potential targets:
  • PCMag UK security: WhatsApp Patches Bug That Can Execute Malware on Windows PCs
  • darkwebinformer.com: DarkWebInformer Article on CVE-2025-30401: WhatsApp for Windows Spoofing Prior to Version 2.2450.6
  • cyberinsider.com: WhatsApp for Windows Vulnerable to Spoofing Flaw Leading to Code Execution
  • securityonline.info: SecurityOnline news detail for WhatsApp for Windows Spoofing Vulnerability: Execute Code Risk (CVE-2025-30401)
  • The Register - Security: What a MIME field A bug in WhatsApp for Windows can be exploited to execute malicious code by anyone crafty enough to persuade a user to open a rigged attachment - and, to be fair, it doesn't take much craft to pull that off.
  • bsky.app: Meta warned Windows users to update the WhatsApp messaging app to the latest version to patch a vulnerability that can let attackers execute malicious code on their devices.
  • ComputerWeekly.com: Spoofing vuln threatens security of WhatsApp Windows users
  • www.csoonline.com: CSOOnline article on Whatsapp plugs bug allowing RCE with spoofed filenames
  • Help Net Security: WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401)
  • Malwarebytes: WhatsApp for Windows vulnerable to attacks. Update now!
  • www.bleepingcomputer.com: WhatsApp flaw can let attackers run malicious code on Windows PCs
  • www.scworld.com: Malicious code execution possible with patched WhatsApp flaw
Classification:
Paolo Tarsitano@Cyber Security 360 //
Citizen Lab researchers have identified several countries as potential customers of Paragon Solutions' Graphite spyware, which was used in attacks against human rights defenders. The investigation mapped the infrastructure of the Israel-based spyware maker, identifying servers likely used by customers in Australia, Canada, Cyprus, Denmark, Israel, and Singapore. The findings follow WhatsApp's notification to numerous individuals that Paragon exploited the platform to deliver spyware to their phones.

The Citizen Lab report includes an infrastructure analysis of Graphite, a forensic analysis of infected devices belonging to members of civil society, and a closer look at the spyware's use in Canada and Italy. Meta (WhatsApp) confirmed these details were pivotal to their ongoing investigation into Paragon which allowed them to fix a zero-click exploit.

Paragon’s executive chairman, John Fleming, responded that Citizen Lab shared only a "very limited amount of information" beforehand, "some of which appears to be inaccurate," while declining to specify what was inaccurate. Despite Paragon's claims of selling only to democracies, the report raises concerns about potential abuse, suggesting their safeguards may not be sufficient.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • infosec.exchange: Researchers mapped out the infrastructure of spyware maker Paragon Solutions, and say they were able to identify servers likely used by customers in several countries: Australia, Canada, Cyprus, Denmark, Israel, and Singapore. Paragon’s executive chairman John Fleming said Citizen Lab shared in advance "very limited amount of information, some of which appears to be inaccurate." He declined to say what was inaccurate exactly.
  • The Citizen Lab: In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy. —
  • techcrunch.com: Researchers name several countries as potential Paragon spyware customers
  • CyberInsider: Paragon’s Spyware ‘Graphite’ Used in WhatsApp Attacks
  • securityaffairs.com: WhatsApp fixed zero-day flaw used to deploy Paragon Graphite spyware
  • Zack Whittaker: Researchers at Citizen Lab have named several countries as potential customers of Paragon's Graphite spyware, which Citizen Lab says was used in a widespread campaign targeting human rights defenders in Italy.
  • Metacurity: Australia, Canada, Cyprus, Denmark, Israel, and Singapore likely bought Paragon spyware, Citizen Lab
  • The Hacker News: Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data
  • BleepingComputer: WhatsApp patched zero-day flaw used in Paragon spyware attacks
  • Cyber Security 360: Italia spiata: svelata la rete dello spyware Paragon Graphite
  • hackread.com: Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit
  • The Register - Security: Paragon spyware deployed against journalists and activists, Citizen Lab claims
  • Christoffer S.: A First Look at Paragon's Proliferating Spyware Operations" investigates Paragon Solutions, an Israeli spyware vendor founded in 2019 that sells a product called Graphite.
  • IT-Connect: Une faille zero-click sur WhatsApp a été exploitée par un spyware de Paragon, à l'aide d'un simple document PDF.
  • Zack Whittaker: This week's edition of ~ this week in security ~ includes a look at Citizen Lab's report revealing Paragon spyware customers and victims, CISA scrambling to contact fired staff after court reverses layoffs, and Wiz joining Google Cloud. Plus, a brand new cyber cat, and more. Sign up/RSS: Read online: Donate/support:
Classification: