Messaging and other popular apps are being modified with “better” features and distributed outside of official app stores to lure cyber-prey.

Mobile-malware researchers recently discovered a modified version of the popular Telegram Messenger application for Android operating systems being distributed online.

The modified main app has the same package name (org.telegram.messenger) and the same icon as the original Telegram application. However, though innocent looking, this modified version (named Telegram Messenger version 9.2.1) contains embedded malicious code linked to the trojan malware Triada, a modular backdoor for the Android operating system that grants administrative privileges to hackers to download another malware into the compromised device. 

Upon launch of the tainted app, the user is presented with the Telegram authentication screen, is asked to enter the device phone number, and to grant the application phone permissions. This flow feels like the actual authentication process of the original Telegram Messenger application. The user has no reason to suspect that anything out of the ordinary is happening on the device.

However, static analysis of the applications by Check Point researchers shows that once a user launches the main app, the malware code will also be started and run in the background, disguised as an internal application update service. The malware then gathers device information, sets up a communication channel, downloads a configuration file, and lays in wait to receive the payload from the remote server.

Once the payload is decrypted and launched, the Triada code gains system privileges that allow it to inject itself into other processes and perform many malicious actions, including signing up the user for various paid subscriptions; performing in-app purchases using the user’s SMS and phone number; displaying advertisements (including invisible ads running in the background), and stealing login credentials and other user and device information.

Mobile smartphone users should avoid installing unofficially modded apps just to take advantage of trivial extra features and customizations/reduced prices, or other touted benefits of such unofficial apps. While cybercriminals may dangle appealing perks to tempt naive users to install such apps, the risk of installing modified versions comes from the fact that it is impossible for the user to know what changes were actually made to the application code. To be more precise — it is unknown what code was added, and whether it has any malicious intent.