HQ/EMEAFind out how we can help your business
A series of Telegram clones called Evil Telegram for Android poses as legitimate alternatives for the official application circulating the Google Play Store. These apps claimed that they could provide faster messaging experiences, which managed to infect over 60,000 users with spyware, resulting in the heist of sensitive data such as messages, contacts, and user information.
Moreover, the spyware developers deliberately created the malware to target Chinese-speaking users and potentially the Uighur ethnic minority. These capabilities prove the actors could connect to state monitoring and repression mechanisms.
Google has already received reports about this new campaign and has acted by removing some of these malicious apps from the Play Store. Unfortunately, some of the malicious apps were still available for download at the time of writing this article.
The Evil Telegram apps claimed they could provide better features than legitimate ones.
The operators of the Evil Telegram apps promoted their messaging platform as a faster alternative to the authentic Telegram application. In addition, these malicious apps have been efficient with their campaign since they have already acquired about 60,000 installations.
Investigations also revealed that these fake apps appeared identical to the original Telegram app but stored features that could steal user data. The spyware within the malicious apps added an extra package named ‘com.wsys,’ which could access the user’s contacts and gather information such as the victims’ usernames, user IDs, and phone numbers.
Furthermore, the spyware within the apps silently distributes copies of messages through the trojanised app, once users receive messages, to an attacker-controlled C2 server in a server called “sg[.]telegrnm[.]org.”
These messages also contain encrypted data that stores the stolen information, like chat/channel titles, IDs, sender names, and message contents. The spyware could also monitor the infected app for victim usernames, IDs, and contact list changes. This feature ensures that the spyware collects the latest details about its targets.
This new campaign highlights the importance of vigilance when downloading apps, even from official app stores. Regularly applying security updates on devices could also help mitigate the impact of these attacks. Lastly, being vigilant and knowledgeable about these cybercriminal attacks could significantly lessen the chances of falling victim to such malicious campaigns.
