Spy ware masquerading as modified variations of Telegram have been noticed within the Google Play Retailer that is designed to reap delicate data from compromised Android gadgets.
Based on Kaspersky safety researcher Igor Golovin, the apps include nefarious options to seize and exfiltrate names, consumer IDs, contacts, cellphone numbers, and chat messages to an actor-controlled server.
The exercise has been codenamed Evil Telegram by the Russian cybersecurity firm.
The apps have been collectively downloaded thousands and thousands of occasions earlier than they have been taken down by Google. Their particulars are as follows –
- 電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) – 10 million+ downloads
- TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) – 50,000+ downloads
- 电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) – 50,000+ downloads
- 电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) – 10,000+ downloads
- ئۇيغۇر تىلى TG – تېلېگرامما (org.telegram.messenger.wcb) – 100+ downloads
The final app on the listing interprets to “Telegram – TG Uyghur,” indicating a transparent try to focus on the Uyghur neighborhood.
It is value noting that the bundle title related to the Play Retailer model of Telegram is “org.telegram.messenger,” whereas the bundle title for the APK file immediately downloaded from Telegram’s web site is “org.telegram.messenger.net.”
The usage of “wab,” “wcb,” and “wob” for the malicious bundle names, due to this fact, highlights the menace actor’s reliance on typosquatting methods as a way to move off because the legit Telegram app and slip underneath the radar.
Method Too Weak: Uncovering the State of the Identification Assault Floor
Achieved MFA? PAM? Service account safety? Learn the way well-equipped your group actually is in opposition to identification threats
“At first look, these apps seem like full-fledged Telegram clones with a localized interface,” the corporate mentioned. “All the pieces seems and works virtually the identical as the actual factor. [But] there’s a small distinction that escaped the eye of the Google Play moderators: the contaminated variations home a further module:”
The disclosure comes days after ESET revealed a BadBazaar malware marketing campaign focusing on the official app market that leveraged a rogue model of Telegram to amass chat backups.
Related copycat Telegram and WhatsApp apps have been uncovered by the Slovak cybersecurity firm beforehand in March 2023 that got here fitted with clipper performance to intercept and modify pockets addresses in chat messages and redirect cryptocurrency transfers to attacker-owned wallets.
