Telegram has a poser, and this is a warning for everyone to beware.
A malicious app previously available in Android Google Play is posing as the popular secured instant messaging app, Telegram, and was downloaded more than 10,000 times. The said was discovered to be promoting malicious and unsecured sites.
The app, which was named MobonoGram 2019, used the code from a legitimate Telegram app to trick users into downloading a supposed “unofficial” beta version of a new and improved Telegram. However, unbeknownst to an unsuspecting user, the malicious app also added secret codes that would allow it to run with persistence, and to load malicious URLs received from a command center.
RamKal Developers, who developed the said malicious app, had already pushed five updates by the time cybersecurity experts discovered its existence. The app runs in both English and Farsi and is available in regions where Telegram is prohibited such as Russia, Iran, and other big brother regions.
The MobonoGram 2019 is a sneaky application that would automatically run after the device has been booted or when an app was downloaded and updated. It is still unclear since the “unofficial” app was made available in the Google Play Store. But cybersecurity researchers said that for the app to garner as many installs, the developers have probably been redirecting users from third-party repositories to Google’s official market for mobile.
Security researchers from Symantec Modern OS Security team made the discovery who also revealed the existence of a zero-day vulnerability in Telegram and WhatsApp’s system that can be exploited by threat actors in a method called “Media File Jacking.”
“We recently found a malicious app named MobonoGram 2019 (detected as Android.Fakeyouwon) advertising itself as an unofficial version of the Telegram messaging app and claiming to provide even more features than both the official and other unofficial versions in the market. While the app does provide basic messaging functionality, we found it was also secretly running a few services on the device without the user’s consent, as well as loading and browsing an endless stream of malicious websites in the background,” said May Ying Tee and Martin Zhang from Symantec.
Persistence and URL redirect mechanism
What’s troubling about the MobonoGram app is the persistence mechanism that allows it to continually run in the foreground of a device without the users’ consent.
“To ensure the service would run persistently, the developer added two methods in the AddService class: Firstly, to start the service as a foreground service in AddService class. According to Android, a foreground service is rarely killed, even when memory is low,” the researchers said.
“Secondly, in the event that the service is killed, the malware sets an alarm that initializes the AddService class to reboot itself 7,200,000 milliseconds, or two hours, after it was destroyed.”
Because of this, the researchers explained, the malware will be able to execute itself indefinitely.
Aside from being persistent, the app includes malware that redirects a user to some malicious websites. “With the given URL (see “Link” in Figure 4), the malware tries to access and load the page. A fraudulent user agent is also added to the URL’s request header to disguise the source of the request,” the researchers wrote.
But the user agent appears to be randomly generated because no two same user agents are generated from querying the same server.
“We found that the URL changes based on the geographical location of the device’s IP address. For example, when we used an IP address originating from the U.S., a fraud website similar to Fakeyouwon was returned. When we used an IP address from Singapore, the server responded with a Fakeyouwon, pornography, or gaming website. We cannot say how many different URLs can be returned by the server—for all we know, what we’ve seen was only a drop in the bucket,” they added.
The infected devices of this specific malware through the unauthorized version of Telegram since January 2019 comes from Iran, the U.S., UAE, and Germany. The MobonoGram 2019 is no longer available in the official Google Play Store, but researchers believe that third-party Android app stores still include them and other users can still be able to download the malicious app.