Spyware has been spotted in the Google Play Store disguised as a modified version of Telegram designed to obtain sensitive information from compromised Android devices.
According to Kaspersky security researcher Igor Golvin, the apps come with malicious features to capture and exploit names, user IDs, contacts, phone numbers, and chat messages on actor-controlled servers.
The activity has been dubbed Evil Telegram by a Russian cyber security company.
The apps were collectively downloaded millions of times before being removed by Google. Their details are as follows – It is worth noting that the package name associated with the Play Store version of Telegram is “org.telegram.messenger”, while the package name of the APK file downloaded directly from Telegram’s website is The name is “org.telegram.messenger”. Web.”
The use of “wab,” “wcb,” and “wob” for malicious package names would, therefore, highlight the threat actor’s reliance on typocoating techniques to pass off as a legitimate Telegram app and slip under the radar. Is.
“At first glance, these apps appear to be complete Telegram clones with a native interface,” the company said. “Everything looks and functions almost exactly like the real thing.
The revelation comes days after ESET revealed the BadBazaar malware campaign targeting the official app marketplace that leveraged a rogue version of Telegram to collect chat backups.
Similar copycat Telegram and WhatsApp apps were previously discovered by a Slovak cyber security company in March 2023 to intercept and modify wallet addresses in chat messages and transfer cryptocurrency to wallets owned by the attacker. Clipper was equipped with functionality to redirect
Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
