“Bad Telegram”; Android apps on Google Play infected 60,000 people with spyware

 

“Bad Telegram”; Android apps on Google Play infected 60,000 people with spyware

Numerous fraudulent clones of the popular messaging platform Telegram have infiltrated the Google Play Store for Android, amassing over 60,000 installations, all while compromising users' data through insidious spyware.

These malevolent applications seemed to target Chinese-speaking users and the Uighur ethnic minority, suggesting potential connections to the documented state-sponsored surveillance and repression mechanisms.

Kaspersky, a renowned cybersecurity firm, made the alarming discovery and promptly reported it to Google. Despite these reports, the malicious apps remained accessible for download on Google Play.

These counterfeit Telegram apps, as highlighted in Kaspersky's report, were promoted as "faster" alternatives to the authentic version. With over 60,000 installations, they managed to attract a significant number of potential victims.

Security analysts revealed that these rogue apps closely resembled the legitimate Telegram but contained hidden functions designed to pilfer user data. Notably, they incorporated an additional package named 'com. wsys,' which covertly accessed users' contacts while harvesting their usernames, user IDs, and phone numbers.

Whenever a user received a message through the compromised app, the spyware surreptitiously forwarded a copy to the operator's command and control (C2) server at "sg[.]telegrnm[.]org." The exfiltrated data was encrypted prior to transmission, encompassing message contents, chat/channel titles and IDs, as well as the sender's name and ID.

Moreover, the spyware app vigilantly monitored the infected app for any alterations to the victim's username, ID, or contacts list. If any changes occurred, it promptly gathered the most up-to-date information.

Crucially, it's worth noting that these malicious "Evil Telegram" apps masqueraded under package names 'org.telegram.messenger.wab' and 'org.telegram.messenger.wob,' whereas the authentic Telegram app adhered to the package name 'org. 'telegram.messenger.web.'

Subsequently, Google took action by removing these Android apps from Google Play and issued a statement emphasizing their commitment to security and privacy:

"We take security and privacy claims against apps seriously, and if we find that an app has violated our policies, we take appropriate action. All of the reported apps have been removed from Google Play and the developers have been banned. Users are also protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services." - Google.

This incident highlights the dangers associated with modified messaging apps. In a recent occurrence, ESET, another cybersecurity firm, warned about two tampered messaging apps, Signal Plus Messenger and FlyGram, which were promoted as enhanced versions of Signal and Telegram but harbored the BadBazaar malware, allowing Chinese APT group 'GREF' to spy on users.

Earlier this year, ESET uncovered two dozen counterfeit Telegram and WhatsApp sites distributing tampered versions of these popular messaging apps, all aimed at Chinese-speaking users.

As a precaution, users are strongly advised to stick with authentic versions of messaging apps and refrain from downloading forked versions promising improved privacy, speed, or additional features.

Google's struggle to curtail such malicious uploads stems from publishers introducing harmful code through post-screening and post-installation updates. In response, Google announced a strategy to implement a business verification system on the Google Play store, commencing on August 31st, 2023, with the aim of bolstering security for Android users.