Adware masquerading as modified variations of Telegram have been noticed within the Google Play Retailer that is designed to reap delicate data from compromised Android units.
In line with Kaspersky safety researcher Igor Golovin, the apps include nefarious features to seize and exfiltrate names, person IDs, contacts, telephone numbers, and chat messages to an actor-controlled server.
The exercise has been codenamed Evil Telegram by the Russian cybersecurity firm.
The apps have been collectively downloaded tens of millions of instances earlier than they have been taken down by Google. Their particulars are as follows –
- 電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) – 10 million+ downloads
- TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) – 50,000+ downloads
- 电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) – 50,000+ downloads
- 电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) – 10,000+ downloads
- ئۇيغۇر تىلى TG – تېلېگرامما (org.telegram.messenger.wcb) – 100+ downloads
The final app on the listing interprets to “Telegram – TG Uyghur,” indicating a transparent try to focus on the Uyghur group.
It is price noting that the package deal title related to the Play Retailer model of Telegram is “org.telegram.messenger,” whereas the package deal title for the APK file immediately downloaded from Telegram’s website is “org.telegram.messenger.net.”
The usage of “wab,” “wcb,” and “wob” for the malicious package deal names, due to this fact, highlights the menace actor’s reliance on typosquatting strategies with a purpose to cross off because the official Telegram app and slip underneath the radar.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
Achieved MFA? PAM? Service account safety? Learn how well-equipped your group really is towards id threats
“At first look, these apps look like full-fledged Telegram clones with a localized interface,” the corporate said. “All the pieces seems to be and works virtually the identical as the true factor. [But] there’s a small distinction that escaped the eye of the Google Play moderators: the contaminated variations home an extra module:”
The disclosure comes days after ESET revealed a BadBazaar malware marketing campaign concentrating on the official app market that leveraged a rogue model of Telegram to amass chat backups.
Comparable copycat Telegram and WhatsApp apps have been uncovered by the Slovak cybersecurity agency beforehand in March 2023 that got here fitted with clipper performance to intercept and modify pockets addresses in chat messages and redirect cryptocurrency transfers to attacker-owned wallets.
