Rewterz Threat Alert – Fake Telegram Apps on Google Play Distributing Spyware on Android Devices – Active IOCs

Severity

High

Analysis Summary

Multiple fake Telegram apps have been discovered on Google Play for Android that are infecting devices with spyware and are also capable of stealing messages, contact lists and other personal data. Most of these apps has been installed over 60,000 times.

These malicious apps seem to be targeting Chinese-speaking users and the Uighur ethnic minority. The apps are promoted as “faster” alternatives to the regular Telegram, and seeing the number of installs, the campaign has been successful in reaching the potential targets.

Security analysts revealed that these apps appear identical to Telegram but contain extra code to steal data, including a package named ‘com.wsys’ that accessed contacts, usernames, user IDs, and phone numbers. The spyware sent copies of received messages to a command and control server. The exfiltrated data, encrypted before transmission, included message content, chat/channel details, sender information, and monitored changes to usernames and contact lists.

Google has since removed these apps from Google Play and banned their developers. Google Play Protect also provides security against such malicious behavior.

“We take security and privacy claims against apps seriously, and if we find that an app has violated our policies, we take appropriate action. All of the reported apps have been removed from Google Play and the developers have been banned. Users are also protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services.” according to Google.

Previously, ESET warned about trojanized messaging apps like Signal Plus Messenger and FlyGram, which contained malware to spy on users. Earlier, they found clones of Telegram and WhatsApp targeting Chinese-speaking users.

Users are advised to use official versions of messaging apps and avoid downloading modified apps promising enhanced features. Google plans to implement a business verification system on Google Play to enhance security for Android users.

Impact

• Sensitive Information Theft
• Data Theft

Indicators of Compromise

Domain Name

• sg.telegrnm.org

MD5

• 39df26099caf5d5edf264801a486e4ee
• b9e9a29229a10deecc104654cb7c71ae
• e0dab7efb9cea5b6a010c8c5fee1a285
• 8e878695aab7ab16e38265c3a5f17970
• 65377fa1d86351c7bd353b51f68f6b80
• 19f927386a03ce8d2866879513f37ea0

SHA-256

• e7745bcc0fffc30b07c531c9a306767bba76ca36b9026e54febb733cd879683f
• 4ec522b0fe3a8445ce843dbdbfc2c2931e1c2d985f053a1c6d0d3eb8c549258b
• f7254c2fc017e8be033e3a05d22f4efab108178917b412ca37e105b82c30ca12
• d585b6f8a20b0f170fde8ba4ce8728f5c5ef5774f71e84af015e5b3d0ad2c821
• b60e14daabcdf054c2ec7b3503d737118c061022619fb1d16371df0c1e69cb63
• bd86adb77adf399b5659a0043a381faa6b4b115220490ed6669894c2ac02a08a

SHA-1

• 91551187fb0b70e09d8b07d91c501d78efd6aa3e
• c97c8e0a842cec35f299876196050d082b51d936
• 90f0aebd2867615ca24344aee9046e43e150f283
• 28be74ac27f26cffaff5a41875394990da2a13d0
• 35985cc5d35c361d1ccc9f9428912c50154d0f0d
• b1d73c93abfb7732045e9164597b172ef3ee0911

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Stick to official app stores like Google Play and Apple App Store.
• Review the permissions an app requests during installation. If an app asks for excessive permissions that are unrelated to its functionality, consider it a red flag.
• Keep your device’s operating system and apps up-to-date.
• Refrain from downloading apps from unofficial sources or third-party app stores. These sources are less regulated and more prone to hosting malicious apps.
• Enable strong authentication methods, such as two-factor authentication (2FA), for your accounts whenever possible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets.