new threat for Android users

Specialists check point Software Technologies discovered fake app version Telegramwhich, when installed, infects Android devices with Triada malware.

The Telegram malicious app works by elevating privileges on the system in order to deploy malware. This can be achieved if the user grants permissions to the application during the registration process. Once access is granted, the malware injects itself into other processes, allowing it to perform malicious actions.

The work of the fake version of Telegram

A malicious version of the Telegram app containing Triada ( Virus Total sample ), cleverly disguised as the latest version of Telegram 9.2.1. To make the modified version look legitimate, the attackers used a package name (org.telegram.messenger) that resembles the real app and its real icon.

When the application is launched for the first time, the user is presented with a login window that faithfully reproduces the home page of the original application. To proceed with registration, the user is prompted to enter their phone number and grant certain device permissions.

The malicious app then injects malicious code into the device under the guise of an internal app update service. Operating stealthily in the background, the malware initiates its malicious activities, which include collecting device information, extracting configuration files, and establishing communication channels.

Triada works invisibly to the user. Once on the device, the Trojan resides in RAM and intrudes into almost every workflow. Triada is mainly distributed through applications installed by users from untrusted sources.

Check Point researchers have described the various operations that Triada malware can perform. These include:

• registration for the victim of several paid subscriptions;
• showing invisible and background ads;
• making unauthorized in-app purchases using SMS and phone numbers;
• theft of confidential data and passwords.

Formerly Analysts of Kaspersky Lab discovered a new version of the unofficial WhatsApp client for Android called “YoWhatsApp”, which intercepts the keys whatsapp, allowing an attacker to control user accounts. These keys can be used in open-source utilities to perform actions on behalf of the user without the original client.

Recently, researchers have noted the growth of modified versions of mobile applications. Modified applications attract users with new features and additional settings at low prices. However, once downloaded, such applications launch malware on the user’s device. The danger of installing fake versions is that the user does not know what code was added to the application’s codebase and whether it has some kind of malicious intent.