Weaponized Telegram App Infected Over 60K Android Users


Telegram Messenger offers global, cloud-based instant messaging with several features:-

  • Optional end-to-end-encryption
  • Video calling
  • VoIP
  • File sharing

Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various languages (traditional Chinese, simplified Chinese, and Uighur), claiming to be the fastest apps with a global network of data centers.

Weaponized Telegram App Infected Over 60K Android Users
Telegram mods on Google Play (Source – Securelist)

Despite Google Play testing, Telegram mods pose risks; threat actors penetrate and sell their versions. Researchers analyzed one such mod, which appears identical to the original Telegram upon launch.

Malicious Telegram Apps

Examining the code reveals a seemingly ordinary Telegram mod, but a package named com.wsys stands out, prompting further investigation into its functions.

Weaponized Telegram App Infected Over 60K Android Users
Suspicious com.wsys library (Source – Securelist)

Functions linked to com.wsys appear to access user contacts, which raises suspicion, as it’s not part of the standard features. 

The com.wsys library operates in the main activity class’s connected socket () method, gathering user info and connecting to a command server upon app start or account switch.

Users encounter another surprise when receiving a message: threat actors added the uploadTextMessageToService method to the incoming message processing code, which is absent in the clean Telegram version.

Weaponized Telegram App Infected Over 60K Android Users
Malware processing incoming message (Source – Securelist)

Upon message reception, uploadTextMessageToService captures the following data to send it to the command server by encrypting them into tgsync.s3:-

This method gathers the following user contact info, and then all sent to the command server, including updates if the user changes their name or number:-

  • IDs
  • Nicknames
  • Names
  • Phone numbers

Besides this, the app encrypts and forwards received or sent files to attackers’ accounts on popular cloud storage.

Recommendation

Recent attacks using unofficial Telegram mods, especially in China, go beyond crypto wallet scams and ad fraud, posing as full-fledged spyware that closely mimics the original Telegram code for Google Play security checks.

Official stores don’t guarantee app security, so beware of third-party messenger mods, even on Google Play. Despite reporting the threat, some apps remain available for download.

IOCs

Md5

  • 39df26099caf5d5edf264801a486e4ee
  • b9e9a29229a10deecc104654cb7c71ae
  • e0dab7efb9cea5b6a010c8c5fee1a285
  • Efcbcd6a2166745153c329fd2d486b3a
  • 8e878695aab7ab16e38265c3a5f17970
  • 65377fa1d86351c7bd353b51f68f6b80
  • 19f927386a03ce8d2866879513f37ea0
  • a0e197b9c359b89e48c3f0c01af21713
  • c7a8c3c78ac973785f700c537fbfcb00

С&C

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.





Source link