Kaspersky IT security researchers have discovered a plethora of fake Telegram apps on the Google Play Store. These malicious clones were installed more than 60,000 times by Internet users. To attract users, developers assure that their applications are faster than the standard version of Telegram.
App descriptions were written in Traditional Chinese, Simplified Chinese, and Uyghur. As our colleagues from BleepingComputer point out, it is very possible that the entire operation is sponsored by the Chinese government in order to monitor Uyghurs. This minority, of Muslim faith, is massively persecuted by the Chinese authorities. In order to stifle their desire for independence, Beijing has locked up more than a million Uighurs in learning camps in recent years. For Amnesty International, these camps “are above all places of punishment and torture”.
Also read: Google has finally understood how malware infiltrates the Play Store
Very curious applications
Once installed on a smartphone, the applications will suck up a bunch of information, such as name, user ID, phone number and list of all contacts. Above all, they will spy on all conversations of the user on Telegram. A line of code, identified by Kaspersky, can indeed capture the content of messages, the title, the channel identifier and the name of the sender.
“If the user decides to change their phone number name, this information will also end up in malicious hands”underlines Kaspersky.
This is a shame for users looking to install an encrypted and secure application like Telegram. Designed by two Russian opponents of Vladimir Putin, Nikolai and Pavel Durov, the messaging system relies on the MTProto encryption protocol to protect user data. In addition, Telegram only requires one piece of data, the telephone number, to create an account.
Moreover, the applications do not differ from the official version of Telegram, from which they also take much of the code to fool Google. It is indeed possible to join Telegram channels and communicate with contacts. In this way, the victims do not suspect the deception. Basically, these malicious Telegram applications work like Signal Plus Messenger, a fake version of Signal messaging, spotted on the Play Store this summer. This app also targeted Uyghurs and spied on messages.
Google takes action
Alerted by Kaspersky experts, Google promptly banned the applications, and their developers, from the Play Store. The Mountain View giant is committed to taking “take security and privacy claims against apps seriously”. The firm specifies that “Users are further protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices”although the security mechanism is regularly abused by hackers.
This is far from the first time that copies of Telegram have managed to infiltrate the Play Store under Google’s nose. This summer, a malicious copy of Telegram, called FlyGram, was spotted on the platform. At the same time, there are a host of popular messaging clones, via APK, on the web. At the start of the year, ESET notably discovered an army of fake WhatsApp, Telegram and Signal apps intended to plunder investors’ cryptocurrency portfolios.