Modified versions of mobile applications are very common in the world of apps. These applications may offer additional features and customizations, reduced prices, or be available in a larger number of countries than the original application.
Their offer can be so tempting that careless users install them via unofficial external application stores. The risk of installing modified versions is that the user cannot know what changes have actually been made to the application code. More specifically, it is not known what code was added and whether it has malicious intent.
Check Point Mobile Research Team recently discovered a modified version of the popular Telegram Messenger Android application. Despite looking innocent, this modified version embeds malicious code associated with the Triada Trojan. First discovered in 2016, this Triada Trojan is a modular backdoor for Android that grants administrator privileges to download other malware.
Perfect camouflage
The malware disguises itself as Telegram Messenger version 9.2.1. It has the same package name (org.telegram.messenger) and icon as the original Telegram application. Upon launch, the user will be presented with the Telegram authentication screen and will be prompted to enter the phone number of the device and grant phone rights to the application. This flow feels like the actual authentication process of the original Telegram Messenger application. So the user has no reason to suspect that something unusual is happening on the device.
Once the payload is decrypted and launched, Triada gains system privileges that allow it to inject itself into other processes and perform malicious actions.Previous investigations of Triada payloads have revealed Triada's diverse malicious abilities. This includes signing up the user for various paid subscriptions, making in-app purchases using the user's SMS and phone number, displaying advertisements (including invisible ads running in the background), and stealing login credentials and other users - and device information.
More at Checkpoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.