Spyware in Fake Google Play Telegram Apps Affects Millions
It has been discovered that the Google Play Store hosts spyware that steals sensitive data from Android devices after pretending to be a modified version of Telegram. This spyware is designed to infect devices that have already been infected.
According to Igor Golovin, a security researcher at Kaspersky, the applications are equipped with malicious capabilities that can capture and send information such as names, user IDs, contacts, phone numbers, and chat messages to a server that is controlled by an actor.
The Russian cybersecurity outfit has given this activity the moniker Evil Telegram due to its malicious nature.
It is essential to take note that the package name for the version of Telegram that can be found in the Play Store is “org.telegram.messenger,” whereas the package name for the APK file that can be downloaded directly from Telegram’s website is “org.telegram.messenger.web.” Both of these package names may be found in the Android Market.
The fact that the malicious packages are named “wab,” “wcb,” and “wob” suggests that the threat actor is engaging in typosquatting techniques in order to disguise themselves as the genuine Telegram app.
“At first glance, these apps appear to be full-fledged Telegram clones with a localized interface,” the company asserted. Everything is designed to look and perform in a manner that is analogous to the original. The managers of Google Play, on the other hand, failed to recognize a tiny distinction, as the infected versions have an additional module.
This news comes just a few days after ESET discovered the BadBazaar malware operation. This campaign collected chat history from the legitimate app marketplace by using a fraudulent version of Telegram.
A Slovak cybersecurity company discovered a copycat software in March 2023 that functioned similarly to Telegram and WhatsApp but incorporated clipper functionality. This functionality enabled the app to intercept and modify wallet addresses in chat discussions as well as redirect cryptocurrency transfers to the attacker’s wallet.
