Evil Telegram campaign: Trojanized Telegram apps found on Google Play

Evil Telegram: a Trojanized version of the Telegram app was spotted on the Google Play Store, Kaspersky researchers reported.

Researchers from Kaspersky discovered several Telegram mods on the Google Play Store that contained spyware, the campaign was tracked as Evil Telegram.

One of the apps was downloaded more than ten million times before it was removed from Google Play.

The trojanized apps were uploaded with descriptions in traditional Chinese, simplified Chinese and Uighur. The vendor advertised the applications are the fastest apps that use a distributed network of data processing centers around the world.

The malicious code hidden in the apps can harvest sensitive information from compromised Android devices.

The apps can collect information about the user’s contacts, including IDs, nicknames, names, and phone numbers.

The analysis of the code revealed that most packages of the trojanized version of Telegram look the same as the standard ones. However, Kaspersky experts noticed a package called com.wsys which is not included in the code of the legitimate Telegram. The package includes the code to steal sensitive data and process the incoming message.

“When receiving a message, uploadTextMessageToService collects its contents, chat/channel title and ID, as well as sender’s name and ID. The collected information is then encrypted and cached into a temporary file named tgsync.s3. The app sends this temporary file to the command server at certain intervals.” reads the analysis published by Kaspersky.

The attacker used the typosquatting technique for the composition of the malicious package names in order to trick users that they were downloading the legitimate Telegram app.

“Attacks employing various unofficial Telegram mods are on the rise of late. Often, they replace crypto wallet addresses in users’ messages or perform ad fraud. Unlike those, the apps described in this article come from a class of full-fledged spyware targeted at users from a specific locale (China) and capable of stealing the victim’s entire correspondence, personal data, and contacts. And yet their code is only marginally different from the original Telegram code for smooth Google Play security checks.” concludes the analysis. As you can see, being an official store item does not guarantee an app’s security, so be wary of third-party messenger mods, even those distributed by Google Play“

The researchers published indicators of compromise (IoCs) for the Evil Telegram campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Evil Telegram)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.