Evil Telegram Mods Removed From Google Play

Security researchers have revealed a number of lookalike Telegram apps on the official Play store which were modified to contain spyware.

Since removed by Google, these apps were promoted in Chinese and Uighur as faster than the original Telegram and had been downloaded tens of thousands of times.

Kaspersky said it was first alerted to unusual activity by a package in the apps called com.wsys.

“The list of functions that call com.wsys, suggests that this piece of code means to get access to the user’s contacts. It looks fishy to say the least, considering that the package is not a part of the messenger’s standard feature set,” the security vendor explained in a blog post.

“The com.wsys library runs in the connectSocket() method added to the main activity class responsible for the app’s start screen. The method is called when you start the app or switch to another account. It collects such user-related information as name, user ID, and phone number, after which the app connects to the command server.”

Read more on Google Play threats: Subscription Trojan Downloaded 600K Times From Google Play

In addition, when a user receives a message through these apps, the spyware will harvest its content, chat/channel title and ID, and sender name and ID, and send it encrypted to a command-and-control (C&C) server, Kaspersky said.

In a similar way, the malicious apps have functionality to collect the IDs, nicknames, names and phone numbers associated with the victim’s contacts.

Even if the victim changes their name or phone number on Telegram, the information will be sent back to the snoopers via the C&C server, Kaspersky said.

“The apps described in this article come from a class of full-fledged spyware targeted at users from a specific locale (China) and capable of stealing the victim’s entire correspondence, personal data, and contacts,” the vendor concluded.

“Yet their code is only marginally different from the original Telegram code for smooth Google Play security checks.”