"Evil Telegram" pretends to be harmless in order to laugh at memes in your personal correspondence.
Kaspersky Lab experts have identified dangerous spyware disguised as modified versions of the popular Telegram messenger. Tens of thousands of users have already downloaded these apps from the official Google Play store.
Modified versions (also called "mods") are part of the messenger ecosystem. They include all the standard features, but are supplemented with various improvements. Telegram not only does not prevent this practice, but also actively supports it, considering it legitimate.
Attackers, taking advantage of the company's loyalty, developed their own mod, which was called "Evil Telegram". According to the study, there are quite a lot of variations of Telegram in stores right now, and using each of them requires increased caution.
"Apps like Telegram, Signal, and WhatsApp promise complete security through end-to-end encryption. This leads many to believe that the platforms are completely harmless, " explains Erich Krohn, a cybersecurity expert at KnowBe4.
A whole group of infected apps were found on Google Play. The attackers themselves gave it the name "Paper Airplane". Instant messengers are available in several languages: simplified and classic Chinese, as well as in Uyghur. Developers promise improved performance and increased speed due to a distributed network.
The researchers found that the apps contain a hidden module for monitoring activity and forwarding the collected data to external servers. This information may include a list of contacts, messages sent and received along with attached files, names of chats and channels, and the name and phone number of the account owner. The code differs very slightly from the original one, so it is very difficult for Google's security systems to detect malicious elements.
Worryingly, the mods have already received 60,000 downloads and are likely still collecting information about their victims. The threat is particularly relevant for the Uyghur version: attacks by Chinese special services on the ethnic minority have been going on for quite a long time, including in cyberspace.
Callie Gunter, senior manager of cyber threat research at Critical Start, warns that spyware like "Evil Telegram" poses a threat not only to individual users, but also to the business sector. Infection can lead to unauthorized access to confidential data and compromise of employees ' personal information. In addition to espionage, Telegram hackers are engaged in spoofing cryptocurrency addresses and advertising fraud.
Not so long ago, experts from ESET discovered another spy mod called "FlyGram". Then a similar malicious code was found in a modification of the Signal messenger, which is called "Signal Plus Messenger". They are associated with the activity of the Chinese group GREF.
In conclusion, Erich Krohn recommends that organizations only use official apps to communicate between employees and inform staff about all possible risks.
Kaspersky Lab experts have identified dangerous spyware disguised as modified versions of the popular Telegram messenger. Tens of thousands of users have already downloaded these apps from the official Google Play store.
Modified versions (also called "mods") are part of the messenger ecosystem. They include all the standard features, but are supplemented with various improvements. Telegram not only does not prevent this practice, but also actively supports it, considering it legitimate.
Attackers, taking advantage of the company's loyalty, developed their own mod, which was called "Evil Telegram". According to the study, there are quite a lot of variations of Telegram in stores right now, and using each of them requires increased caution.
"Apps like Telegram, Signal, and WhatsApp promise complete security through end-to-end encryption. This leads many to believe that the platforms are completely harmless, " explains Erich Krohn, a cybersecurity expert at KnowBe4.
A whole group of infected apps were found on Google Play. The attackers themselves gave it the name "Paper Airplane". Instant messengers are available in several languages: simplified and classic Chinese, as well as in Uyghur. Developers promise improved performance and increased speed due to a distributed network.
The researchers found that the apps contain a hidden module for monitoring activity and forwarding the collected data to external servers. This information may include a list of contacts, messages sent and received along with attached files, names of chats and channels, and the name and phone number of the account owner. The code differs very slightly from the original one, so it is very difficult for Google's security systems to detect malicious elements.
Worryingly, the mods have already received 60,000 downloads and are likely still collecting information about their victims. The threat is particularly relevant for the Uyghur version: attacks by Chinese special services on the ethnic minority have been going on for quite a long time, including in cyberspace.
Callie Gunter, senior manager of cyber threat research at Critical Start, warns that spyware like "Evil Telegram" poses a threat not only to individual users, but also to the business sector. Infection can lead to unauthorized access to confidential data and compromise of employees ' personal information. In addition to espionage, Telegram hackers are engaged in spoofing cryptocurrency addresses and advertising fraud.
Not so long ago, experts from ESET discovered another spy mod called "FlyGram". Then a similar malicious code was found in a modification of the Signal messenger, which is called "Signal Plus Messenger". They are associated with the activity of the Chinese group GREF.
In conclusion, Erich Krohn recommends that organizations only use official apps to communicate between employees and inform staff about all possible risks.
