A while ago we discovered a bunch of Telegram mods on Google Play with descriptions in traditional Chinese, simplified Chinese and Uighur. The vendor says these are the fastest apps which use a distributed network of data processing centers around the world.

What can possibly be wrong with a Telegram mod duly tested by Google Play and available through the official store? Well, lots of things, as a matter of fact: not only do threat actors find ways to penetrate Google Play, but they also sell their stuff. So, we went on to analyze the messenger mod.

When launched, the app is no different from the original Telegram.

But let’s take a look at its code to be on the safe side.

At first it gives an impression of a perfectly ordinary Telegram mod: most packages look the same as the standard ones. But, on closer examination, you can see the package called com.wsys, which is not typical for Telegram. Let’s see what functions call this package methods.

The list of functions that call com.wsys, suggests that this piece of code means to get access to the user’s contacts. It looks fishy to say the least, considering that the package is not a part of the messenger’s standard feature set.

The com.wsys library runs in the connectSocket() method added to the main activity class responsible for the app’s start screen. The method is called when you start the app or switch to another account. It collects such user-related information as name, user ID, and phone number, after which the app connects to the command server.

One more unpleasant surprise awaits the user when receiving a message: in the incoming message processing code, threat actors have added a call for the uploadTextMessageToService method.

Compare: the clean Telegram version does not contain the method in the same code area.

When receiving a message, uploadTextMessageToService collects its contents, chat/channel title and ID, as well as sender’s name and ID. The collected information is then encrypted and cached into a temporary file named tgsync.s3. The app sends this temporary file to the command server at certain intervals.

The app’s malicious functionality does not end at stealing messages. A call for the uploadFriendData method has been added to the contacts processing code.

The method is used to collect information about the user’s contacts: IDs, nicknames, names, and phone numbers. All these go to the command server much in the same way.

If the user decides to change their name of phone number, this information will end up in rogue hands as well.

When the user receives or sends a file, the app creates an encrypted copy of it which then get forwarded to the attackers’ account residing in one of the popular cloud storages.

Conclusion

Attacks employing various unofficial Telegram mods are on the rise of late. Often, they replace crypto wallet addresses in users’ messages or perform ad fraud. Unlike those, the apps described in this article come from a class of full-fledged spyware targeted at users from a specific locale (China) and capable of stealing the victim’s entire correspondence, personal data, and contacts. And yet their code is only marginally different from the original Telegram code for smooth Google Play security checks.

As you can see, being an official store item does not guarantee an app’s security, so be wary of third-party messenger mods, even those distributed by Google Play. We reported the threat to Google but, as of the time of writing, some of the apps are still available for downloading.

IOC

Md5
39df26099caf5d5edf264801a486e4ee
b9e9a29229a10deecc104654cb7c71ae
e0dab7efb9cea5b6a010c8c5fee1a285
Efcbcd6a2166745153c329fd2d486b3a
8e878695aab7ab16e38265c3a5f17970
65377fa1d86351c7bd353b51f68f6b80
19f927386a03ce8d2866879513f37ea0
a0e197b9c359b89e48c3f0c01af21713
c7a8c3c78ac973785f700c537fbfcb00

С&C
sg[.]telegrnm[.]org