Google Play fake Telegram app installs spyware
Take action: Be very mindful of installing random apps from the App stores. Check the number of downloads - should be in the millions for any reasonably popular app, and the rating of the app should be very variable. Apps with very small number of downloads and high rating indicate faked rating and possibly malicious app.
Learn More
A set of fake Android applications impersonating Telegram, discovered on the Google Play Store, have managed to infect more than 60,000 users with spyware, harvesting their messages, contact lists, and various personal data.
The rogue apps seem to have been crafted with a specific focus on Chinese-speaking users raising concerns about potential connections to state surveillance.
Kaspersky uncovered these fraudulent Telegram clones and reported them to Google. However, at the time of the researchers' report publication, several of these malicious applications were still available for download from the Google Play Store.
Dubbed "Trojanized Telegram," the apps masquerade as "faster" alternatives to the legitimate Telegram app. The reported instances of these rogue apps have garnered over 60,000 installations, indicating a moderate level of success in reaching potential victims.
Security analysts have ascertained that while these apps outwardly resemble the official Telegram, they conceal additional functionality within their code designed to steal user data. An additional package of the app labeled operates stealthily, gaining access to users' contact lists and siphoning off critical information, including usernames, user IDs, and phone numbers.
Whenever a user receives a message through one of these Trojanized apps, the spyware silently dispatches a copy to the operator's command and control (C2) server, identified as "sg[.]telegrnm[.]org." This exfiltrated data is encrypted before transmission, and it comprises the message content, chat or channel title and ID, and the sender's name and ID.
Furthermore, the spyware-infected app actively monitors the host device for any changes to the user's username, ID, or contact list. Should any modifications occur, the app dutifully collects the most current information.
Google has since taken action to remove these Android apps from the Google Play Store. Google has grappled with malicious app uploads, as the perpetrators introduce malicious code post-screening and post-installation updates. To combat this, Google has introduced a business verification system on the Google Play Store, commencing on August 31st, 2023, aimed at enhancing security for Android users.
