Thousands of Android devices have been infected with malicious spyware fronting as a popular chat app, Telegram.
The clone apps were downloaded over 60,000 times, according to Bleeping Computer. The apps look nearly identical to the official Telegram but harvests messages, contact lists, files, phone numbers, names, and other personal data from a user’s device.
Kaspersky first learned of the fraudulent apps offering simplified and traditional Chinese versions of Telegram and reported this to Google.
While chat apps like Telegram and Sling are reasonably safe to use, users need to verify they are downloading the actual app. Modified apps, which use the same name and layout as the original, entice users with additional features and capabilities unavailable on the official app.
Kaspersky said Telegram “actively encourages” modified apps which put users at risk of security breaches. Because the apps appear verified on Google Play and offer perks the official Telegram doesn’t, users can easily be tricked into downloading an “Evil Telegram” app.
Kaspersky said their experts found minute differences hidden within the app’s code. The variants continuously monitor activity, including whenever a member changes their name or phone number. The information is sent to the creators’ command-and-control server, which Bleeping Computer reports may have ties with “state monitoring and repression mechanisms.”
Google has since removed the malware from the Google Play Store, and a spokesperson released the following statement:
“We take security and privacy claims against apps seriously, and if we find that an app has violated our policies, we take appropriate action. All of the reported apps have been removed from Google Play and the developers have been banned. Users are also protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services.”
While the apps are no longer available to download, anyone who previously did so needs to delete them from their devices immediately. Users who have downloaded Telegram need to verify they’re using the official app, which will say “org.telegram.messenger.web”. In contrast, the malicious apps are packaged as “org.telegram.messenger.wab” and “org.telegram.messenger.wob.”