'Evil Telegram' Android apps on Google Play infected 60K with spyware

Several malicious Telegram clones for Android connected Google Play were installed complete 60,000 times, infecting group pinch spyware that steals personification messages, contacts lists, and different data.

The apps look to beryllium tailored for Chinese-speaking users and nan Uighur taste minority, suggesting imaginable ties to the well-documented state monitoring and repression mechanisms.

The apps were discovered by Kaspersky, who reported them to Google. However, astatine nan clip nan researchers published their report, respective malicious apps were still disposable for download done Google Play.

Trojanized Telegram

The Telegram apps presented in Kaspersky's report are promoted arsenic "faster" alternatives to nan regular app.

The examples shown successful nan study person complete 60,000 installs, truthful nan run has mean occurrence successful reaching a excavation of imaginable targets.

One of nan malicious apps connected Google Play (Kaspersky)

The information analysts study that nan apps are ostensibly nan aforesaid arsenic nan original Telegram but incorporate further functions successful nan codification to bargain data.

Specifically, there's an other package named 'com. wsys' that accesses nan user's contacts and besides collects nan victim's username, personification ID, and telephone number.

When nan personification receives a connection done nan trojanized app, nan spyware sends a transcript consecutive to nan operator's bid and power (C2) server astatine "sg[.]telegrnm[.]org"

Intercepting an incoming message (Kaspersky)

The exfiltrated data, which is encrypted anterior to transmission, contains nan connection contents, chat/channel title and ID, and nan sender's sanction and ID.

The spyware app besides monitors nan infected app for changes to nan victim's username and ID and changes to nan contacts list, and if thing changes, collects nan astir up-to-date information.

Stealing nan information of nan victim's friends (Kaspersky)

It should beryllium noted that nan malicious Evil Telegram apps utilized nan package names 'org.telegram.messenger.wab' and 'org.telegram.messenger.wob,' while nan morganatic Telegram app has a package sanction of 'org.telegram.messenger.web.'

Google has since taken these Android apps disconnected Google Play and shared nan pursuing connection pinch BleepingComputer.

"We return information and privateness claims against apps seriously, and if we find that an app has violated our policies, we return due action. All of nan reported apps person been removed from Google Play and nan developers person been banned. Users are besides protected by Google Play Protect, which tin pass users aliases artifact apps known to grounds malicious behaviour connected Android devices pinch Google Play Services." - Google.

Dangers of modded messaging apps

Late past month, ESET warned astir 2 trojanized messaging apps, Signal Plus Messenger and FlyGram, promoted arsenic much feature-rich versions of nan celebrated open-source Signal and Telegram apps.

Now removed from Google Play and nan Samsung Galaxy Store, those apps contained nan BadBazaar malware that allowed their operators, nan Chinese APT 'GREF,' to spy connected their targets.

Earlier this year, ESET discovered 2 dozen Telegram and WhatsApp clone sites distributing trojanized versions of nan celebrated messaging apps, besides targeting Chinese-speaking users.

Users are recommended to usage nan genuine versions of messaging apps and debar downloading forked apps that committedness enhanced privacy, speed, aliases different features.

Google has been unable to stop these malicious uploads chiefly because nan publishers present malicious codification via post-screening and post-installation updates.

In July, nan tech elephantine unveiled a strategy to instrumentality a business verification system connected nan Google Play shop starting connected August 31st, 2023, aiming to heighten information for Android users.