Spyware Hidden in Fake Telegram Apps on Google Play Infects Millions

Spyware masquerading as customized versions of Telegram has been detected on the Google Play Store. These apps have malicious functionalities enabling them to gather and send private information, including names, user IDs, contacts, phone numbers, and chat messages, to a server controlled by malicious actors. The Russian cybersecurity firm has named this operation "Evil Telegram."

Before Google removed them, these apps had already been downloaded millions of times. Here are the specific apps:

電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) - 10 million+ downloads
电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) - 50,000+ downloads
TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) - 50,000+ downloads
电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) - 10,000+ downloads
ئۇيغۇر تىلى TG - تېلېگرامما (org.telegram.messenger.wcb) - 100+ downloads
Notably, the second-to-last app on the list is named "Telegram - TG Uyghur," indicating a specific targeting of the Uyghur group.

 

It's essential to highlight that the APK file directly downloaded from the Telegram website uses the package name "org.telegram.messenger.web," which differs from the Play Store version's "org.telegram.messenger." This underscores the threat actor's use of typosquatting methods to mimic the genuine Telegram app and avoid detection, as evident from the use of "wab," "wcb," and "wob" in the malicious package names.

At first glance, these apps appear to be complete clones of Telegram, offering a customized user experience. They closely mimic the legitimate app, but one subtle difference is that the infected versions include an additional module.

This revelation comes shortly after ESET uncovered a malware campaign known as BadBazaar, which targeted the official app store and employed a counterfeit Telegram version to collect chat backups. Earlier in March 2023, the Slovak cybersecurity company also found fake Telegram and WhatsApp apps equipped with clipper capabilities, allowing them to capture and modify wallet addresses in chat conversations and reroute cryptocurrency transfers to attacker-controlled wallets.

Download NPAV Mobile Security today to stay safe from such dangerous apps

Download NPAV Mobile Security Download NPAV Mobile Security