A dangerous form of spyware disguised as legitimate Telegram “mods” has been discovered in the official Google Play app store, with potentially serious consequences for business users. Telegram mods are modified applications that offer additional features beyond the standard functionality of the official client. While the development of mods is encouraged and considered legitimate by Telegram, threat actors are now taking advantage of this acceptance to carry out cyberespionage activities through what has been dubbed “Evil Telegram.”
According to research conducted by Kaspersky, there has been a proliferation of Telegram mods, which has led to the creation of a new avenue for cyberespionage. These mods appear like legitimate applications and promise extra features or improved performance compared to the official apps. This entices users to download and use these third-party apps without fully considering the potential risks associated with them.
One example of this trend is a set of infected apps found on Google Play by Kaspersky researchers, named “Paper Airplane.” These apps claim to be versions of Telegram in different languages, including Uyghur, simplified Chinese, and traditional Chinese. They attract users by boasting faster speeds due to a distributed network of data centers worldwide. At first glance, these apps resemble legitimate Telegram clones, but they contain a hidden module that acts as powerful spyware. This module monitors all activity within the messenger, including contacts, messages, chat and channel names, and even the account owner’s personal information.
What is concerning is that these infected apps have been downloaded over 60,000 times, indicating that a substantial number of users have unwittingly exposed their information to the spyware. Of particular concern is the Uyghur version, as the Uyghur ethnic minority in China has been targeted with spyware in the past. This group has faced repeated persecution, likely at the behest of government intelligence services. Encrypted messaging apps like Telegram are often used by civil society and dissidents to avoid the scrutiny of repressive regimes.
Kaspersky has reported these apps to Google for removal, but some versions are still available on the Play store. The fact that these malicious apps made it onto Google Play demonstrates the need for increased vigilance. Businesses, in particular, should take note of the risks associated with unofficial messenger apps. Infected apps can lead to unauthorized access to sensitive company data, exposure of business strategies and intellectual property, and the compromise of employee personal information.
The discovery of these spyware-infected Telegram apps is part of a growing trend. Kaspersky researchers have warned that attacks involving various unofficial Telegram mods are increasing in frequency. Previously, these mods were used to replace cryptowallet addresses in users’ messages or perform ad fraud. However, the recent apps represent a new class of spyware capable of stealing an individual’s entire correspondence, personal data, and contacts.
This is not the first incident of spyware-infected messaging apps being discovered on popular app stores. ESET recently discovered a spyware version of Telegram called FlyGram on Google Play and the Samsung Galaxy Store. They also uncovered the same malware in a modified version of the Signal encrypted messaging app called Signal Plus Messenger.
To protect themselves, businesses should remind employees that even apps verified and published on Google Play can be compromised. It is important to scrutinize the developer and be cautious of alternative clients for popular messengers. Official apps should also be thoroughly examined, including user reviews, to ensure their legitimacy.
In conclusion, the discovery of spyware-infected Telegram mods highlights the increasing prevalence of mobile spyware and the serious risks it poses to businesses and individuals. It serves as a reminder that even seemingly legitimate apps can contain malicious code. Users must exercise caution when downloading apps and stick to official versions whenever possible. Increased awareness and education about the dangers of third-party apps are essential in safeguarding sensitive information.