100 thousand users installed an unofficial malicious version of Telegram

by Brendan Smith
February 16, 2021

Symantec experts found in Google Play MobonoGram 2019 – an application positioned as an unofficial version of Telegram with a large set of functions.

More than 100 thousand users downloaded it from the official Google Play store. In fact, the application not only could not offer advanced features of the messenger, but also promoted malicious sites.

In MobonoGram 2019, was used a code of the legitimate Telegram version, to which were added several scripts, working invisibly to the user. The scripts that were responsible for downloading the malicious URLs received from the C&C command server.

By the time researchers found an undesirable application, the developer of RamKal Developers had time to release five updates in the Android app store.

MobonoGram 2019 application was offered to download to users from those countries where the Telegram messenger (Russia, Iran and so on) is prohibited.

MobonoGram 2019

The MobonoGram 2019 app’s UI has a similar look and feel to the official Telegram

Installed on the device, the application always started with the start of the operating system. After launching, MobonoGram 2019 requested from the command server a list of URLs for the visits on the infected device.

According to a Symantec report, malicious links were different each time, depending on the user’s geographic location. On the pages of such sites usually appeared fishing scheme, claiming that the user has won Samsung s10 smartphone.

“Such code structure is usually hard to spot via static code analysis, making it extremely easy for the attacker to sneak its way into Google Play. Additionally, these attacks can become really nasty quickly as it can load and execute any dynamic malicious contents that are sent by the server”, — report Symantec specialists.

RamKal Developers were noted not in relation to this application, experts also stumbled upon another program – Whatsgram, which had similar behavior.

Researchers find it difficult to say how long the unwanted application has been on the Google Play Store site.

How to mitigate?

  • Keep your software up to date.
  • Do not download apps from unfamiliar sites.
  • Only install apps from trusted sources.
  • Pay close attention to the permissions requested by apps.
  • Install a suitable mobile security app to protect your device and data.
  • Make frequent backups of important data.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending