Trojanized Telegram Apps ‘Evil Telegram’ Infects Thousands of Android Users

Several counterfeit Telegram apps laden with spyware have been found on the Google Play Store by security researchers. The apps dubbed ‘’Evil Telegram’’ have been downloaded tens of thousands of times and appear to be targeting the Uighur minority and Chinese speaking community.

These modified apps (mods) were first discovered by researchers at Kaspersky, claiming to be the fastest app due to a distributed network of data processing centers worldwide.

‘’At first it gives an impression of a perfectly ordinary Telegram mod: most packages look the same as the standard ones. But, on closer examination, you can see the package called com.wsys, which is not typical for Telegram,’’ the article read.

This malicious module is used to access and harvest various user-related information like, contacts, target’s name, user ID, and phone number. It also monitors any user activity within the app, including exfiltrating any data sent and received via the messenger app, which is then transferred to a threat actor controlled encrypted C2 server.

‘’When receiving a message, uploadTextMessageToService collects its contents, chat/channel title and ID, as well as sender’s name and ID. The collected information is then encrypted and cached into a temporary file named tgsync.s3. The app sends this temporary file to the command server at certain intervals,’’ Kaspersky investigation revealed.

Additionally, the trojanized app is also enabled to collect information like IDs, nicknames, names, and phone numbers associated with the victims’ contacts. It also closely monitors the victim’s Telegram account and any change in name or phone number is directly transmitted to the hackers via the C2 servers.

While concluding, the researchers said that these full-fledged spyware apps targeting a specific location (China) have the capability to steal all information from a user’s device. Moreover, with only a slight change in code, they could successfully bypass Google Play’s security checks. These findings were later shared with Google and ultimately, removed from the Play Store.