Cyber-security firm Check Point reported that a modified version of the popular messaging app Telegram on Android has a malicious application capable of stealing user data.
The malware embedded within the malicious app can enroll victims in various paid subscriptions, execute unauthorized in-app purchases, and steal sensitive login credentials.
Harmony Mobile promptly detected and blocked the malicious app, which appears innocuous but contains malicious code linked to the Trojan Triada. This modular backdoor for Android, first detected in 2016, grants admin privileges for downloading other malware.
Modified versions of mobile applications often offer enticing additional features, customizations, or wider availability in different countries compared to the original applications. Unwary users may be tempted to install these modified versions through unofficial external app stores.
Check Point noted that the risk of installing modified versions lies in the fact that users cannot discern the actual changes made to the application’s code, including any potentially malicious alterations.
The malicious app disguises itself as Telegram Messenger version 9.2.1, adopting the same package name (org.telegram.messenger) and icon as the authentic Telegram application.
When launched, the user encounters the Telegram authentication screen, where they are prompted to enter their device’s phone number and grant phone permissions to the application.
The researchers explained that this flow closely mimics the genuine authentication process of the original Telegram Messenger application, making it difficult for users to suspect any malicious activity on their devices.
Once installed, the malware collects device information, establishes a communication channel, downloads a configuration file, and waits for the remote server to deliver the payload.
Its malicious capabilities include signing up users for paid subscriptions, making unauthorized in-app purchases using their SMS and phone number, displaying advertisements (including hidden ads running in the background), and stealing login credentials as well as other sensitive user and device information.
The research team advised users to always download apps from trusted sources such as official websites or authorized app stores and repositories. They emphasized the importance of verifying the app’s author and creator before downloading and encouraged users to read comments and reactions from previous users as an added precaution.
