Spyware masquerading arsenic modified versions of Telegram idiosyncratic been spotted palmy the Google Play Store that's designed to harvest delicate accusation from compromised Android devices.
According to Kaspersky accusation researcher Igor Golovin, the apps question with nefarious features to seizure and exfiltrate names, idiosyncratic IDs, contacts, telephone numbers, and chat messages to an actor-controlled server.
The enactment has been codenamed Evil Telegram by the Russian cybersecurity company.
The apps idiosyncratic been collectively downloaded millions of times earlier they were taken down by Google. Their details are arsenic follows -
- 電報,紙飛機-TG繁體中文版 oregon 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) - 10 million+ downloads
- TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) - 50,000+ downloads
- 电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) - 50,000+ downloads
- 电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) - 10,000+ downloads
- ئۇيغۇر تىلى TG - تېلېگرامما (org.telegram.messenger.wcb) - 100+ downloads
The past app connected the database translates to "Telegram - TG Uyghur," indicating a wide effort to extremist the Uyghur community.
It's worthy noting that the bundle authorisation associated with the Play Store mentation of Telegram is "org.telegram.messenger," whereas the bundle authorisation for the APK grounds consecutive downloaded from Telegram's website is "org.telegram.messenger.web."
The usage of "wab," "wcb," and "wob" for the malicious bundle names, therefore, highlights the menace actor's reliance connected typosquatting techniques palmy bid to locomotion disconnected arsenic the morganatic Telegram app and gaffe nether the radar.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
Achieved MFA? PAM? Service narration protection? Find retired nevertheless well-equipped your enactment genuinely is against individuality threats
"At archetypal glance, these apps look to beryllium full-fledged Telegram clones with a localized interface," the instauration said. "Everything looks and works astir the aforesaid arsenic the existent thing. [But] determination is simply a tiny premier that escaped the attraction of the Google Play moderators: the infected versions determination an further module:"
The disclosure comes days aft ESET revealed a BadBazaar malware tally targeting the authoritative app marketplace that leveraged a rogue mentation of Telegram to amass chat backups.
Similar copycat Telegram and WhatsApp apps were uncovered by the Slovak cybersecurity instauration antecedently palmy March 2023 that came fitted with clipper functionality to intercept and modify wallet addresses palmy chat messages and redirect cryptocurrency transfers to attacker-owned wallets.