Connect with us

Hi, what are you looking for?

Cyber Security

Weaponized Telegram App Infected Over 60K Android Users

Telegram Messenger offers global, cloud-based instant messaging with several features:-

  • Optional end-to-end-encryption
  • Video calling
  • VoIP
  • File sharing

Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various languages (traditional Chinese, simplified Chinese, and Uighur), claiming to be the fastest apps with a global network of data centers.

Despite Google Play testing, Telegram mods pose risks; threat actors penetrate and sell their versions. Researchers analyzed one such mod, which appears identical to the original Telegram upon launch.

Malicious Telegram Apps

Examining the code reveals a seemingly ordinary Telegram mod, but a package named com.wsys stands out, prompting further investigation into its functions.

Suspicious com.wsys library (Source – Securelist)

Functions linked to com.wsys appear to access user contacts, which raises suspicion, as it’s not part of the standard features. 

The com.wsys library operates in the main activity class’s connected socket () method, gathering user info and connecting to a command server upon app start or account switch.

Users encounter another surprise when receiving a message: threat actors added the uploadTextMessageToService method to the incoming message processing code, which is absent in the clean Telegram version.

Malware processing incoming message (Source – Securelist)

Upon message reception, uploadTextMessageToService captures the following data to send it to the command server by encrypting them into tgsync.s3:-

  • Chat details
  • Sender info

This method gathers the following user contact info, and then all sent to the command server, including updates if the user changes their name or number:-

  • IDs
  • Nicknames
  • Names
  • Phone numbers

Besides this, the app encrypts and forwards received or sent files to attackers’ accounts on popular cloud storage.

Recommendation

Recent attacks using unofficial Telegram mods, especially in China, go beyond crypto wallet scams and ad fraud, posing as full-fledged spyware that closely mimics the original Telegram code for Google Play security checks.

Official stores don’t guarantee app security, so beware of third-party messenger mods, even on Google Play. Despite reporting the threat, some apps remain available for download.

Source: https://cybersecuritynews.com/weaponized-telegram-app/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

In recent findings from Check Point Research, a significant phishing attack targeting more than 40 prominent Colombian companies has been uncovered.  The attackers behind this campaign...

Cyber Security

According to recent reports, a threat actor has compromised the confidential information of 3,200 Airbus vendors. The exposed data includes sensitive details such as...

Cyber Security

A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service. ...

Cyber Security

Zero Trust Data Access (ZTDA) constitutes a fundamental aspect of the wider Zero Trust security framework, which entails limiting data access. The Zero Trust security approach...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO