A spyware which is a fake telegram app, has been discovered to affect millions of people. The App which is android based, and discovered in Google Play Store, was developed by a hacker, to have the capabilities of stealing sensitive information’s from compromised Android devices.
A Kaspersky security researcher by the name Igor Golovin, stated that within the app, is discovered some malicious configurations, capable of capturing, and exfiltrating sensitive data such as: Contacts, Chat Messages, Phone numbers, and user IDs, to a C2-server owned by the hacker.
In a statement Igor said:
“A while ago, we discovered a bunch of Telegram mods on Google Play with description in traditional Chinese, simplified Chinese and Uighur. The vendor says these are the fastest apps which use a distributed network of data processing centers around the world.”
The App, which has been code named Evil Telegram by Kaspersky, due to its malicious activity. According to TheHackerNews It was said that the app has recorded over 10,020,000 million downloads, since it was discovered.
Details of the Application Downloads:
電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) – 10 million+ downloads
TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) – 50,000+ downloads
电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) – 50,000+ downloads
电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) – 10,000+ downloads
ئۇيغۇر تىلى TG – تېلېگرامما (org.telegram.messenger.wcb) – 100+ downloads
From the analysis above, it could be discovered that these hackers, have been pivoting the download of this malicious app, via numerous domains such as *.wab, *.wob, *.wcb, with the *.wab domain name extension being the highest recorded downloads for this malicious application.
The telegram Google Play Store version of Telegram is known with the domain name “org.telegram.messenger” and the APK file which can be downloaded directly from telegram official website is “org.telegram.messenger.web” The domain name extension, described above, indicates that the attacker relies on typo-squatting (A kind of social engineering technique where a malicious domain name looking similar to the original one with a little omission, is used by attackers, to trick technology novices, into visiting the attackers malicious server to download a malicious application, which in turn performs the attackers intent from stealing of sensitive information, to infecting the devices with malware).
In a blog article published by Kaspersky Team:
“At first glance, these apps appear to be full-fledged Telegram clones with a localized interface. Everything looks and works almost the same as the real thing. But there is a small difference that escaped the attention of the Google Play moderators: the infected versions house an additional module.”
In a disclosed information by TheHackerNews, it was said that the disclosure was found few days, after ESET revealed a BadBazaar malware campaign targeting the official app marketplace that leveraged a rogue version of Telegram to amass chat backups.
It was also noted that a cybersecurity company by the name Slovak, also uncovered a list of similar attacks in apps such as Telegram, and Whatsapp, which its intents is to intercept and modify wallet addresses in chat messages, and redirect cryptocurrency transfers to the attacker-owned wallets.
Kaspersky research team, has released IOC (indicator of compromise) , and the C2 (command and control server).
We at Fixitgearware Security, Hope users, would abstain from downloading MODS, by third parties claiming to have more powerful features than the legitimate application. Also, they should read through information of the application provided by the vendors in the App store before downloading them, and lastly every link should be properly scrutinized for typo-squatting, to prevent falling prey to these attackers.
Please do let us know in the comment section what are your thoughts about this.