Weaponized Telegram App Infected Over 60K Android Users

Telegram Messenger offers global, cloud-based instant messaging with several features:-

• Optional end-to-end-encryption
• Video calling
• VoIP
• File sharing

Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various languages (traditional Chinese, simplified Chinese, and Uighur), claiming to be the fastest apps with a global network of data centers.

Despite Google Play testing, Telegram mods pose risks; threat actors penetrate and sell their versions. Researchers analyzed one such mod, which appears identical to the original Telegram upon launch.

Malicious Telegram Apps

Examining the code reveals a seemingly ordinary Telegram mod, but a package named com.wsys stands out, prompting further investigation into its functions.

Functions linked to com.wsys appear to access user contacts, which raises suspicion, as it’s not part of the standard features. 

The com.wsys library operates in the main activity class’s connected socket () method, gathering user info and connecting to a command server upon app start or account switch.

Users encounter another surprise when receiving a message: threat actors added the uploadTextMessageToService method to the incoming message processing code, which is absent in the clean Telegram version.

Upon message reception, uploadTextMessageToService captures the following data to send it to the command server by encrypting them into tgsync.s3:-

• Chat details
• Sender info

This method gathers the following user contact info, and then all sent to the command server, including updates if the user changes their name or number:-

• IDs
• Nicknames
• Names
• Phone numbers

Besides this, the app encrypts and forwards received or sent files to attackers’ accounts on popular cloud storage.

Recommendation

Recent attacks using unofficial Telegram mods, especially in China, go beyond crypto wallet scams and ad fraud, posing as full-fledged spyware that closely mimics the original Telegram code for Google Play security checks.

Official stores don’t guarantee app security, so beware of third-party messenger mods, even on Google Play. Despite reporting the threat, some apps remain available for download.

Source: https://cybersecuritynews.com/weaponized-telegram-app/