Modified Telegram app with malware that puts your data at risk found

New Delhi, June 30

Cyber-security researchers on Friday revealed a modified version of the popular messaging app Telegram on Android that is found to be malicious and can steal your data.

The malware within the malicious app can sign up the victim for various paid subscriptions, perform in-app purchases and steal login credentials, according to the mobile research team at cyber-security firm Check Point.

The malicious app was detected and blocked by Harmony Mobile. Though innocent looking, this modified version is embedded with malicious code linked to the Trojan Triada.

"This Triada trojan, which was first spotted in 2016, is a modular backdoor for Android which grants admin privileges to download other malware," the report said.

Modified versions of mobile applications might offer extra features and customisations, reduced prices, or be available in a wider range of countries compared to their original application.

Their offer might be appealing enough to tempt naive users to install them through unofficial external applications stores.

"The risk of installing modified versions comes from the fact that it is impossible for the user to know what changes were actually made to the application code. To be more precise - it is unknown what code was added and whether it has any malicious intent," the team noted.

The malware disguises itself as Telegram Messenger version 9.2.1.

It has the identical package name (org.telegram.messenger) and the same icon as the original Telegram application.

Upon launch, the user is presented with the Telegram authentication screen, is asked to enter the device phone number, and to grant the application phone permissions.

"This flow feels like the actual authentication process of the original Telegram Messenger application. The user has no reason to suspect that anything out of the ordinary is happening on the device," said the researchers.

The malware gathers device information, sets up a communication channel, downloads a configuration file, and awaits to receive the payload from the remote server.

Its malicious abilities include signing up the user for various paid subscriptions, performing in-app purchases using the user’s SMS and phone number, displaying advertisements (including invisible ads running in the background), and stealing login credentials and other user and device information.

"Always download your apps from trusted sources, whether it is official websites or official app stores and repositories. Verify who the author and creator of the app is before downloading. You can read comments and reactions of previous users prior to downloading," said the team.