In a recent discovery by the cyber security researchers, a modified version of the popular messaging application Telegram for Android has been found to be a malicious application. This app is enough capable of stealing user data. It was uncovered that the malware in this application is designed to sign victims up for paid subscriptions, making unauthorized in-app purchases and steal login credentials.
The infected version of Telegram carrying Triada malware is distributed through third-party store instead of the official Google Play Store. It is disguised as the latest version of Telegram Messenger specifically version 9.2.1.
Due to the widespread popularity of Telegram, it has become the most commonly used messaging apps globally. This make Telegram a luring target for the scammers and cyber criminals for their malicious activities.
This malicious application was blocked by Harmony Mobile, which has been found to contain a variant of the Trojan Triada. The earlier research on Triada has already demonstrated its persistence, with Google confirming the presence of this malware in inexpensive Android phones.
This is a modular backdoor for Android, which was initially detected in 2016. It grants admin privileges to install additional malware. The modified versions of mobile applications entice the users with added features, customizations, lower prices, or wider availability. These tempting offers may lead unsuspecting users to install the modified versions from unofficial external application stores.
With the installation of the applications, there are many risks associated from the fact that users are not able to determine the changes made to the application's code. Here, the users are unknown about any added code and whether it contains any malicious intent.
The malicious Telegram application acquires the privilege escalation on the system to initiate the malware. If the user grants phone permissions during the signup process, the access can be granted. Once, this step is done, the malware can effortlessly self-inject into other processes, thus, begin with a range of malicious activities.
How do Attackers trick users?
The malicious version of the Telegram application containing Traida, is cunningly disguised as the latest version of Telegram Messenger. To make the application look legitimate, the attackers have employed techniques such as using a package name, that is similar to the genuine application and utilizing the application's verified icon. This makes it difficult for users to suspect any wrongdoing.
The malware tends to collect device information, establishes a communication channel, download a configuration file and waits to receive the payload from a remote server. It results in enrolling users in paid subscriptions, conducting in-app purchases using the victims' SMS and phone number, displaying advertisements and stealing login credentials and other sensitive user and device data.
The downloaded app shows a login window that perfectly replicates the original app's home page. In the next process, the users are prompted to enter their phone number and grant access to device permissions.
Subsequently, the malicious application employs detrimental code into the device under the guise of an internal application update service. This operates in the background, where it initiates malicious activities, such as gathering information about the device, retrieving configuration files, and establishing communication channels.
Power of Triada
The Triada malware carries out various operations such as enrolling victims in multiple paid subscriptions, displaying invisible and background ads, and making unauthorized in-app purchases via SMS and phone numbers. Adding to this, Triada has the ability to pilfer sensitive data, such as passwords from compromised devices.
It has been observed that there is a rise in modified versions of mobile apps in this digital age. These modified applications tricks the users with new features and additional customization at low prices. Once, these apps are installed, they unleash malware into the device of the users.
How can we ensure protection?
To reduce the risks from these threats, users are advised to refrain from downloading software from untrusted sources, rather exclusively download applications from trusted sources such as official websites, app stores and repositories. It is important that you verify the author ad creator of an application before you download it. Following this, you must read comments and feedback from previous users that may help you get valuable insights.
Along with these measures, maintaining caution and adhering to the preventive measures, users can protect themselves from the potential dangers posed by malicious applications and protect their sensitive information from falling into the wrong hands.
The affected devices include models from various companies such as Leagoo, ARK Benefit, Zopo Speed, Doogee, Cherry Mobile Flare, and many more. This rather underscores the requirement for vigilance and security measures.
.png)
Comments
Post a Comment