Telegram has quickly become one of the most popular messaging services. However, taking advantage of its popularity, threat actors have reportedly started publishing fake versions of the Telegram app loaded with spyware on the Play Store.
According to Kaspersky cybersecurity researcher Igor Golovin, these threat actors have specifically crafted these apps to gather sensitive user information, such as messages, contact lists, and more. Additionally, the fact that these apps are specifically targeting Chinese-speaking users and the Uighur ethnic minority has raised additional concerns, as this operation could potentially be linked to state surveillance.
How do the fake versions of the Telegram app work?
These apps entice unsuspecting victims by presenting themselves as faster versions of the Telegram app, closely mimicking its interface and functionalities. Additionally, with over 60,000 installations, it is evident that this campaign has successfully attracted a substantial number of potential victims.
While these apps may appear similar to the genuine Telegram app, the report reveals that they contain an additional label, ‘com.wsys,’ which sends copies of all the user’s messages and personal information to the operator’s command and control (C2) server, located at “sg[.]telegrnm[.]org.” Furthermore, the app consistently monitors the victim’s username, ID, and contact list for any changes, promptly transmitting the updated information to the threat actors when detected.
In response to these reports, Google thankfully removed these apps from the Play Store and stated, “We take security and privacy claims against apps seriously, and if we find that an app has violated our policies, we take appropriate action. Users are also protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behaviour on Android devices with Google Play Services.”
However, this incident comes just days after a report from ESET highlighted the prevalence of the BadBazaar malware campaign, which exploited a rogue version of Telegram to collect chat backups. Therefore, users should exercise caution when downloading different versions of the app, even from the Play Store.