Cybersecurity researchers have found several spyware-infected versions of Telegram and Signal on the Google Play Store, designed to gather sensitive information from compromised Android devices, a new report has said.
According to the cybersecurity firm Kaspersky, these bogus apps include nefarious features that capture and send names, user IDs, contacts, phone numbers, and chat messages to an actor-controlled server.
The activity has been codenamed “Evil Telegram” by the researchers.
“Our experts discovered several infected apps on Google Play under the guise of Uyghur, Simplified Chinese and Traditional Chinese versions of Telegram. The app descriptions are written in the respective languages and contain images very similar to those on the official Telegram page on Google Play,” the researchers said.
Moreover, the report said that to convince users to download these fake apps instead of the official app, the developer claims that they work faster than other clients thanks to a distributed network of data centres around the world.
At first glance, these apps appear to be full-fledged Telegram clones with a localised interface. Everything looks and works almost the same as the real thing, according to the researchers.
The researchers then looked inside the code and found the apps to be little more than slightly modified versions of the official one.
They found a small difference that escaped the attention of the Google Play moderators — the infected versions house an additional module, which constantly monitors what’s happening in the messenger and sends masses of data to the spyware creators’ command-and-control server, the report mentioned.
Before Google took the apps down, they had been downloaded millions of times.