Telegram Mod Apps Found on Google Play Store Contain Malicious Code
Malicious Mod Attacks Chinese Users
Overt Operator
September 11, 2023
Researchers found a number of Telegram mod apps on the Google Play Store that contained malicious code.
These apps were available with descriptions in traditional Chinese, simplified Chinese, and Uighur. The vendor claimed that these apps were the fastest available options. They utilized a distributed network of data processing centers worldwide.
While it may seem safe to download apps from the official Google Play Store, threat actors have found ways to penetrate its security measures and even sell their malicious software. This prompted researchers to analyze the Telegram mod apps in question.
Upon launching the app, it appeared no different from the original Telegram app. However, a closer examination of the app's code revealed some suspicious elements.
One particular package, named "com.wsys," stood out as it was not typical for Telegram. Further investigation into the functions that call this package revealed that it was designed to access the user's contacts, which is not a standard feature of the messenger.
The com.wsys library was found to run in the connectSocket() method, which is added to the main activity class responsible for the app's start screen. This method collects user-related information such as name, user ID, and phone number before connecting to a command server.
In addition, researchers discovered that threat actors had added a call for the uploadTextMessageToService method in the incoming message processing code. This added functionality allowed them to upload text messages to a service, potentially compromising the privacy of users' conversations.
It is important for users to exercise caution when downloading apps, even from official stores like the Google Play Store. While Google does perform security tests on apps, sometimes malicious software can still slip through the cracks. This incident serves as a reminder to stay vigilant and regularly update security software on devices to protect against potential threats.
In conclusion, the discovery of malicious Telegram mod apps on the Google Play Store highlights the ever-present risk of downloading potentially harmful software.
Experts warn all app users to exercise caution, even when downloading from official sources. By staying informed and keeping security measures up to date, users can better protect themselves from cyber threats.