Pierluigi Paganini September 11, 2023

Evil Telegram: a Trojanized version of the Telegram app was spotted on the Google Play Store, Kaspersky researchers reported.

Researchers from Kaspersky discovered several Telegram mods on the Google Play Store that contained spyware, the campaign was tracked as Evil Telegram.

One of the apps was downloaded more than ten million times before it was removed from Google Play.

The trojanized apps were uploaded with descriptions in traditional Chinese, simplified Chinese and Uighur. The vendor advertised the applications are the fastest apps that use a distributed network of data processing centers around the world.

The malicious code hidden in the apps can harvest sensitive information from compromised Android devices.

The apps can collect information about the user’s contacts, including IDs, nicknames, names, and phone numbers.

The analysis of the code revealed that most packages of the trojanized version of Telegram look the same as the standard ones. However, Kaspersky experts noticed a package called com.wsys which is not included in the code of the legitimate Telegram. The package includes the code to steal sensitive data and process the incoming message.

“When receiving a message, uploadTextMessageToService collects its contents, chat/channel title and ID, as well as sender’s name and ID. The collected information is then encrypted and cached into a temporary file named tgsync.s3. The app sends this temporary file to the command server at certain intervals.” reads the analysis published by Kaspersky.

The attacker used the typosquatting technique for the composition of the malicious package names in order to trick users that they were downloading the legitimate Telegram app.

“Attacks employing various unofficial Telegram mods are on the rise of late. Often, they replace crypto wallet addresses in users’ messages or perform ad fraud. Unlike those, the apps described in this article come from a class of full-fledged spyware targeted at users from a specific locale (China) and capable of stealing the victim’s entire correspondence, personal data, and contacts. And yet their code is only marginally different from the original Telegram code for smooth Google Play security checks.” concludes the analysis. As you can see, being an official store item does not guarantee an app’s security, so be wary of third-party messenger mods, even those distributed by Google Play“

The researchers published indicators of compromise (IoCs) for the Evil Telegram campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Evil Telegram)