Spyware abuses Telegram messaging app to target Iranian Android users

Poor attacker security means ANYONE can view a victim’s information…

Spyware abuses Telegram messaging app to target Iranian Android users

Attackers are abusing the Telegram Bot API to target unsuspecting Iranian Android users with spyware.

This malware campaign begins with attackers setting up a bot for Telegram, the popular instant messaging service. This bot provides an attacker's scam with a means of communication that runs over HTTPS. As such, they don't have to build and design their own custom encrypted communication infrastructure.

Avast's Nikolaos Chrysaidos explains how the spyware gets the ball rolling:

"The spyware pretends to be legit and lures potential victims by promising what the Telegram app itself doesn’t provide: the number of people who’ve looked at your listing. Similar scam apps exist for Facebook, promising to show you who has “unfriended” you. Once a user has downloaded it, the app requests your Telegram credentials so it can supposedly retrieve the number of people who’ve viewed your profile. Your score actually depends on a pseudorandom number generator, meaning you can be told you have as many as 9,999,999 viewers."

Telegram bot api screenshot viewers

Description: Wow, your profile has been viewed by 7,358,982 people! (Source: Avast)

Once it's given the user a random number, the spyware waits before hiding its icon and then launching its malicious activity.

First, it uses the infected device's front camera to snap a picture of the victim. Second, it stores the device's contact information, incoming/outgoing SMS messages, and Google account info in new files. Lastly, it uploads that data along with the photo and current location of the device to a remote server that's based in Iran and operated by the attackers.

But that's not all. Attackers can also use the spyware to make a call or send an SMS message on the device as well as upload additional information to the server.

Telegram bot api hidden app spyware

The malicious app hides its icon from the list of apps, but victims can still find it under their installed apps in their device settings. (Source: Avast)

Spyware is bad enough in that someone you don't know can view your personal information and/or control certain functions of your computing device. But when an attacker has terrible security, such malware can become even worse by exposing your information to a larger pool of individuals.

Chrysaidos says that's the case with this spyware:

"The spyware uploads all files via PHP script and saves them to the /rat/uploads directory on the server. These files are available to anyone who enters the right URL into a browser, likely due to inadequate security measures taken by the attacker."

Telegram bot api spyware server screenshot

A screenshot of /rat/uploads. (Source: Avast)

To protect yourself against Telegram-abusing attackers, make sure you only download apps from trusted developers on Google's official Play Store. As such, take a note of other users' reviews of an app before you download it, and read the app's requested permissions before you agree to install it.

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , , , ,

One Response

  1. Jack

    July 19, 2017 at 8:35 pm #

    I think the best thing to do now is shut down the internet and go back to pencil and paper.This is getting ridiculous every day some criminals try and mess things up.Use your powers for good not evil I say but I know criminals make more money than most of us.Thanks Gram and David for the articles I am just ranting and fed up with all this crime the internet use to be fun.
    Jack

Leave a Reply