Telegram mods found by Kaspersky
Part of the download page for a modified version of the Telegram app in the Google Play store. Image: Kaspersky

Google Play axes batch of Telegram clones that spy on users

Google has removed a network of malicious Telegram clones from its app store following a cybersecurity report published last week.

The apps mostly targeted Chinese-speaking users, infecting them with spyware that could collect information about them and their contacts, according to Kaspersky, the company that discovered the campaign.

The researchers updated their report Monday to say that Google had taken down the apps.

Some of them were downloaded up to 10,000 times before their removal from the Google Play store, researchers said.

The malicious Telegram mods were advertised as a "faster" alternative to the regular app and were reported to use data processing centers around the world.

Once launched, the apps looked identical to the original Telegram, but their code contained additional features aimed at stealing data. What initially raised suspicion among researchers is that the clones tried to get access to users’ contacts in an unusual way.

The analysis also showed that the malicious apps could collect other user-related information, such as name, user ID, and phone number, immediately sending the encrypted copy of this data to the attackers’ servers.

The apps' description on Google Play was available in traditional Chinese, simplified Chinese, and the Uyghur language, indicating that the attackers mostly targeted users from China.

Researchers say hackers often use fake apps to spread malicious software. In August, cybersecurity firm ESET uncovered a scheme in which hackers distributed fake Signal and Telegram apps through legitimate app stores to deliver information-stealing malware.

This malware could collect device information, the list of installed apps, as well as sensitive data, such as contact lists and call records. Some of its targets also were Uyghurs, an ethnic minority group that faces systematic repression from China’s government.

Kaspersky advises users to be cautious with third-party messenger mods, even if they're from official stores.

“Being an official store item does not guarantee an app’s security,” researchers said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.