Spyware and adware masquerading as modified variations of Telegram have been noticed within the Google Play Retailer that is designed to reap delicate data from compromised Android units.
In line with Kaspersky safety researcher Igor Golovin, the apps include nefarious features to seize and exfiltrate names, consumer IDs, contacts, telephone numbers, and chat messages to an actor-controlled server.
The exercise has been codenamed Evil Telegram by the Russian cybersecurity firm.
The apps have been collectively downloaded tens of millions of occasions earlier than they have been taken down by Google. Their particulars are as follows –
- 電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) – 10 million+ downloads
- TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) – 50,000+ downloads
- 电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) – 50,000+ downloads
- 电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) – 10,000+ downloads
- ئۇيغۇر تىلى TG – تېلېگرامما (org.telegram.messenger.wcb) – 100+ downloads
The final app on the listing interprets to “Telegram – TG Uyghur,” indicating a transparent try to focus on the Uyghur group.
It is value noting that the bundle identify related to the Play Retailer model of Telegram is “org.telegram.messenger,” whereas the bundle identify for the APK file instantly downloaded from Telegram’s website is “org.telegram.messenger.internet.”
The usage of “wab,” “wcb,” and “wob” for the malicious bundle names, due to this fact, highlights the menace actor’s reliance on typosquatting strategies with the intention to go off because the professional Telegram app and slip below the radar.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
Achieved MFA? PAM? Service account safety? Learn the way well-equipped your group really is in opposition to id threats
“At first look, these apps seem like full-fledged Telegram clones with a localized interface,” the corporate said. “All the pieces seems to be and works virtually the identical as the true factor. [But] there’s a small distinction that escaped the eye of the Google Play moderators: the contaminated variations home a further module:”
The disclosure comes days after ESET revealed a BadBazaar malware marketing campaign focusing on the official app market that leveraged a rogue model of Telegram to amass chat backups.
Comparable copycat Telegram and WhatsApp apps have been uncovered by the Slovak cybersecurity firm beforehand in March 2023 that got here fitted with clipper performance to intercept and modify pockets addresses in chat messages and redirect cryptocurrency transfers to attacker-owned wallets.