'Evil Telegram' Android apps on Google Play infected 60K with spyware

Cyber Security Threat Summary:
Several malicious Telegram clones for Android on Google Play were installed over 60,000 times, infecting people with spyware that steals user messages, contacts lists, and other data. The apps appear to be tailored for Chinese-speaking users and the Uighur ethnic minority, suggesting possible ties to the well-documented state monitoring and repression mechanisms. The apps were discovered by Kaspersky, who reported them to Google. However, at the time the researchers published their report, several malicious apps were still available for download through Google Play” (Bleeping Computer, 2023).

To incite users to install the malicious applications, the threat actors are advertising the applications as faster alternatives to Telegram. Although the apps are very similar to the original Telegram, additional functions are included in the codebase. In particular, these apps contain an extra package named “com.wsys” that is designed to access the user’s contacts, username, user ID, and phone number.

These apps ensure that the information collected is up-to-date, as they will monitor changes to the victim’s username, contact list, and much more. Messages sent between users of the trojanized applications are also collected. Prior to these messages being exfiltrated to an attacker-controlled C2 server, they are encrypted and will typically include the chat/channel title and ID, as well as the sender’s name and ID along with the message contents.

Security Officer Comments:
The threat actors behind these applications are using typosquatting to evade detection. According to researchers, the legitimate Telegram app has a package name of ‘org[.]telegram[.]messenger[.]web.’ Taking a look at the package names for the Telegram clones, they use similar package names including 'org[.]telegram[.]messenger[.]wab' and 'org[.]telegram[.]messenger[.]wob.’ Thankfully Google has removed these applications and banned the developers, making these apps inaccessible to users on the Play Store.

Suggested Correction(s):
When installing applications from the Play Store, looking at the user reviews and ratings can help determine the authenticity of the application. Furthermore, certain apps will request more permissions than required to function as intended. In general, it’s important to avoid installing such applications as threat actors can use these permissions to take control of devices and access confidential data.