Millions infected with spyware hidden in fake Telegram apps on Google Play
Spyware posing as modified versions of Telegram has been spotted in the Google Play Store, designed to collect sensitive information on compromised Android devices.
According to Igor Golovin, a security researcher at Kaspersky, the applications come with harmful characteristics to capture and exfiltrate names, user IDs, contacts, phone numbers, and chat messages to an actor-controlled server.
The activity was named Evil Telegram by the Russian cybersecurity company.
The apps were collectively downloaded millions of times before being removed by Google. Their details are as follows –
- 電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) – more than 10 million downloads
- TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) – over 50,000 downloads
- 电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) – 50,000+ downloads
- 电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) – 10,000+ downloads
- ئۇيغۇر تىلى TG – تېلېگرامما (org.telegram.messenger.wcb) – 100+ downloads
The last app on the list translates to “Telegram – TG Uyghur”, indicating a clear attempt to target the Uyghur community.
It is worth noting that the package name associated with the Play Store version of Telegram is “org.telegram.messenger”, while the package name for the APK file directly downloaded from The Telegram website is “org.telegram.messenger.web”.
The use of “wab”, “wcb” and “wob” for malicious package names therefore highlights the malicious actor’s use of typosquatting techniques in order to impersonate the legitimate Telegram application and pass unnoticed.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
“At first glance, these apps appear to be real Telegram clones with a localized interface,” the company explains. said. “Everything looks and works almost the same as the real thing. (But) there is one small difference that escaped the attention of Google Play moderators: the infected versions harbor an additional module:”
The disclosure comes days after ESET revealed a BadBazaar malware campaign targeting the official app marketplace that exploited a malicious version of Telegram to collect chat backups.
Similar apps Telegram and WhatsApp were discovered by the Slovak cybersecurity company in March 2023, equipped with clipper functionality to intercept and change wallet addresses in chat messages and redirect cryptocurrency transfers to wallets belonging to attackers.
