Keypoints
- Malicious Telegram mods were distributed via Google Play and embed a suspicious package named com.wsys that is not part of official Telegram builds.
- The com.wsys code is invoked from the app start routine (connectSocket) to gather user name, user ID, and phone number, then connects to a command server.
- An incoming-message hook calls uploadTextMessageToService to capture message contents, chat/channel titles and IDs, and sender metadata; data are encrypted and cached to tgsync.s3.
- Contacts processing contains uploadFriendData which collects contact IDs, nicknames, names and phone numbers, sending them to the attackers in the same manner.
- Files sent or received are copied, encrypted, and forwarded to attackersā cloud storage accounts; exfiltration occurs at scheduled intervals to a C2 domain (sg.telegrnm.org).
- Kaspersky published multiple MD5 hashes for the trojanized APKs and reported the C2 domain; Google later removed the apps from Play.
MITRE Techniques
- [T1071] Application Layer Protocol ā Used to communicate with the command server; the article states that āthe app connects to the command serverā (āthe app connects to the command serverā).
- [T1041] Exfiltration Over C2 Channel ā Exfiltrated data is sent periodically to the command server: āThe app sends this temporary file to the command server at certain intervalsā (āThe app sends this temporary file to the command server at certain intervalsā).
- [T1567] Exfiltration Over Web Service ā Stolen files are forwarded to attackersā cloud accounts: āforwarded to the attackersā account residing in one of the popular cloud storagesā (āforwarded to the attackersā account residing in one of the popular cloud storagesā).
- [T1074] Data Staged ā Harvested messages are encrypted and cached into a temporary file before exfiltration: ācached into a temporary file named tgsync.s3ā (ācached into a temporary file named tgsync.s3ā).
- [T1087] Account Discovery ā The malware collects account and contact details (IDs, nicknames, names, phone numbers): ācollect information about the userās contacts: IDs, nicknames, names, and phone numbersā (ācollect information about the userās contacts: IDs, nicknames, names, and phone numbersā).
Indicators of Compromise
- [MD5 hashes] APK file hashes ā 39df26099caf5d5edf264801a486e4ee, b9e9a29229a10deecc104654cb7c71ae, and 7 more hashes.
- [C2 domain] Command-and-control server ā sg[.]telegrnm[.]org (listed as the appās command server).
- [Package name] Malicious library/package ā com.wsys (suspicious package embedded in Trojanized APKs).
- [File name] Staged exfiltration file ā tgsync.s3 (temporary encrypted cache used before upload).
The technical analysis revealed that the trojanized Telegram mods include an extra library package named com.wsys, which is invoked from the appās main activity via a connectSocket() routine. That routine gathers user identifiers (name, user ID, phone number) and establishes a network connection to a command server, enabling remote control and data transfer.
Incoming-message handling was modified to call uploadTextMessageToService, which extracts message text, chat/channel titles and IDs, and sender metadata, encrypts the collected records and stages them in a temporary file named tgsync.s3. Contact-processing code calls uploadFriendData to harvest contact IDs, nicknames, names and phone numbers. The staged data file is sent to the attackers at intervals, and files sent or received by the user are copied, encrypted, and uploaded to attackersā cloud storage accounts.
Indicators tied to these behaviors include multiple APK MD5 hashes published by the researcher, the C2 domain sg.telegrnm.org, the malicious package com.wsys, and the staged file tgsync.s3. The modifications to the original Telegram code were minimal and positioned to bypass store checks while enabling systematic collection and exfiltration of messages, contacts and files.
Read more: https://securelist.com/trojanized-telegram-mod-attacking-chinese-users/110482/