Fake Telegram Apps Infect 60k Phones With Spyware
Malicious actors have successfully distributed counterfeit versions of Telegram on Google Play targeting Chinese users, infecting over 60,000 Android phones with spyware. Data such as user messages and contact lists were stolen. These deceptive applications were uncovered by Kaspersky, who presented them in a report.
The apps masqueraded as faster versions of Telegram. However, while much of the code is exactly the same as Telegram, there are extra functions to steal user data. Messages received by the user are immediately copied and sent straight to the attacker’s server, along with the chat title and ID, and the sender’s name and ID. The user’s contact list, username, ID, and phone number are also collected and monitored by the spyware.
Google has since taken the offending apps off the Play Store, and stated the following to BleepingComputer: “We take security and privacy claims against apps seriously, and if we find that an app has violated our policies, we take appropriate action. All of the reported apps have been removed from Google Play and the developers have been banned. Users are also protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services.”
In a similar vein, ESET warned last month of another two malicious messaging apps which were promoted as more feature-rich versions of Signal and Telegram. These were named Signal Plus Messenger and FlyGram. Signal Plus Messenger was available on the Play Store from July 2022, accumulating around 100 downloads before removal. FlyGram was downloaded 5,000 times since its June 2020 Play Store launch and was available for nearly a year.
The malicious apps used open-source code from Signal and Telegram, closely resembling the legitimate apps. However, the apps embedded BadBazaar, an espionage tool linked to previous attacks on Uyghurs and Turkic minorities. ESET speculates that a China-aligned hacking group, identified as GREF, may be behind this particular campaign.
If you have Signal Plus Messenger or FlyGram on your Android device, immediate action is necessary. Uninstall these apps to safeguard your personal information.