'Evil Telegram' Spyware Campaign Infects 60K+ Mobile Users

Dangerous spyware masquerading as a set of legitimate Telegram "mods" inside the official Google Play app store has been downloaded tens of thousands of times — and its existence poses serious ramifications for business users.

Modified applications ("mods") for the popular messaging client are a well-known part of the Telegram ecosystem. Mods are apps that have all the standard functionality of an official client, but they're supercharged with extra features. In the case of Telegram, this kind of development is actively encouraged by the company and considered perfectly legitimate.

Unfortunately, according to research from Kaspersky, unknown threat actors are trading on the official acceptance of Telegram mods' existence to create a new avenue for cyberespionage, which they fittingly dubbed "Evil Telegram."

"Telegram mods are popping up like mushrooms … [but] messenger mods should be handled with great caution," according to Kaspersky's findings on Evil Telegram, published Sept. 8.

The allure for cybercriminals is clear, says Erich Kron, security awareness advocate at KnowBe4.

"With apps like Telegram, Signal, and WhatsApp touting security through end-to-end encryption, many users associate the platforms with being secure and fail to consider the implications of a third-party app being used," Kron says. "By touting additional features not available with official apps, or by promising better performance and efficiency, bad actors can make these third-party apps very tempting."

Paper Airplane Spyware Takes Flight in China

In an example of the Evil Telegram trend, Kaspersky researchers have found a set of infected apps on Google Play calling themselves "Paper Airplane," purporting to be Uyghur, simplified Chinese, and traditional Chinese versions of the messaging app; in the descriptions on Google Play, they lure users in by claiming to be faster than other clients, thanks to a distributed network of data centers around the world.

"At first glance, these apps appear to be full-fledged Telegram clones with a localized interface. Everything looks and works almost the same as the real thing," according to Kaspersky. "[But] there is a small difference that escaped the attention of the Google Play moderators: The infected versions house an additional [malicious] module." The post added, "their code is only marginally different from the original Telegram code, making for smooth Google Play security checks."

It turns out that the hidden module is a powerful spyware that constantly monitors any activity within the messenger, and exfiltrates all contacts, sent and received messages with attached files, names of chats/channels, name and phone number of the account owner messenger.

Worryingly, the apps have collectively been downloaded more than 60,000 times, and presumably continue to collect information on victims. This is particularly of concern when it comes to the Uyghur version, which targets an ethnic minority within China that has been repeatedly persecuted and targeted with spyware in the past, likely at the behest of government intelligence services. Civil society and dissidents in general tend to turn to encrypted messaging to avoid the attention of the repressive regimes they criticize.

Kaspersky researchers said they reported the apps to Google for removal to prevent future infections, but some versions are still available in the Play store. Google did not immediately return a request for comment from Dark Reading.

Malicious Messaging Apps on the Rise

While the Paper Airplane attacks represent niche, potentially political targeting, Callie Guenther, cyber-threat research senior manager at Critical Start, warns that everyday businesses should be following the Evil Telegram trend.

"Mobile spyware's evolution can be attributed to the ubiquity of smartphones and the wealth of personal and corporate data they store," she says. "Mobile spyware is not a fringe phenomenon but a mainstream cyber threat. Businesses are ever more reliant on messenger apps for daily communications. The recent spyware findings serve as a stern reminder that organizations can't let their guard down."

Infected apps can lead to unauthorized access to sensitive company data; exposure of business strategies, deals, or intellectual property; and compromised employee personal information, risking identity theft or fraud, she adds.

"Attacks employing various unofficial Telegram mods are on the rise of late," Kaspersky researchers warned, adding the pivot to spyware represents an evolution for Trojanized Telegram apps.

"Often, they replace cryptowallet addresses in users’ messages or perform ad fraud," according to Kaspersky. "Unlike those, the [most recent] apps come from a class of full-fledged spyware … capable of stealing the victim's entire correspondence, personal data, and contacts."

Indeed, the Paper Airplane discovery follows ESET's recent discovery of another spyware version of Telegram, dubbed FlyGram, which was available on Google Play as well as the Samsung Galaxy Store; ESET also discovered the same malware lurking in a Trojanized version of the Signal encrypted messaging app in these same stores, called Signal Plus Messenger.

Protecting Business Users Against Mobile Spyware

"Most users still blindly trust any app that’s been verified and published on Google Play," according to Kaspersky. To protect themselves, businesses should remind employees that even Google Play isn't immune to malware, and in particular, alternative clients for popular messengers should be avoided.

Even official apps should be scrutinized, according to researchers, paying attention not only to the name but also the developer, and taking note of negative user reviews.

"For organizations that allow employees to communicate through mediums such as this," Kron says, "it's critical that they use only the official applications and educate users about the dangers of third-party apps, even when downloaded from official app stores."