Kaspersky has discovered a series of malicious Android apps posing as Telegram alternatives on Google Play, with over 60,000 installations. These apps, primarily targeting Chinese-speaking users and the Uighur ethnic minority, are believed to have connections to state monitoring and repression mechanisms.
Disguised as “faster” Telegram alternatives, these trojanized apps have moderate success in attracting potential victims. Upon installation, they steal user messages, contacts, usernames, user IDs, and phone numbers, sending the pilfered data to the operator’s command and control server.
The malicious apps use package names like ‘com.wsys,’ unlike the legitimate Telegram app’s package name, ‘org.telegram.messenger.web.’ The stolen data, encrypted before transmission, includes message contents, chat/channel titles and IDs, and sender information.
Furthermore, the spyware monitors the infected app for changes to the victim’s username, user ID, and contacts list, ensuring the attackers have the most up-to-date information.
After detecting these malicious apps, Kaspersky reported them to Google, which subsequently removed them from Google Play and banned the associated developers. Google also assured users of protection through Google Play Protect.