Unofficial Telegram app secretly loads malicious sites

News by Robert Abel

MobonoGram 2019, advertised as an unofficial version of the Telegram messaging application with more features, runs an endless stream of malicious websites in the background

An unofficial Telegram app is secretly loading malicious sites onto the devices of unsuspecting users and running other malicious services in the background without the users’ consent.

Symantec researchers discovered the malicious app, named MobonoGram 2019 (detected as Android.Fakeyouwon) and advertised as an unofficial version of the Telegram messaging application with more features than the official and other unofficial versions, according to a blog post on 15 July.

"When the broadcast receiver class receives the said events, the AddService class will be summoned, then initiates a few other services, namely AndroidAF, AndroidAL, AndroidPA, AndroidPC, AndroidSH—all without the user’s knowledge," researchers said in the blog.

"To ensure the service would run persistently, the developer added two methods in the AddService class: Firstly, to start the service as a foreground service in AddService class," they wrote. "According to Android, a foreground service is rarely killed, even when memory is low. "

Researchers detected the app running an endless stream of malicious websites in the background and suspect it may be used for click fraud or some other malicious end.

The malware was downloaded more than 100,000 times before being removed from Google Play and between January 2019 and May 2019, researchers detected and blocked 1,235 infections related to the Android.Fakeyouwon malware family.

The app was available for download even in regions that have banned Telegram, such as Iran and Russia, and the highest number of infections were detected in the US, Iran, India, and the United Arab Emirates.

Researchers also noted another social messaging app, Whatsgram, on the Play store that not only has the same malicious behavior as MobonoGram 2019 but is published by the same developer (RamKal Developers). 

In addition, researchers noted four additional apps that were published by the developer PhoenixAppsIR, that also contain similar malicious code that accesses malicious and/or phishing websites using the victim’s device.

To prevent infections users are advised to keep their software up to date, not download apps from unfamiliar sites,only install apps from trusted sources, pay attention to permissions requested by the app, use mobile security solutions, and ensure their devices are up to date.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews