A malicious app that advertised itself as an unofficial version of Telegram was downloaded more than 100,000 times, reported Symantec security researchers.
The app is called MobonoGram 2019, and it claimed to provide more features than the official and other unofficial versions available to users. The app which was available in Google Play indeed provided some messaging functionality but its real purpose was to covertly run several services on the targeted device and load “an endless stream of malicious websites in the background”.
More about MobonoGram 2019 Malicious App
As already mentioned, the MobonoGram 2019 app was available for download on Google Play and was downloaded more than 100,000 times. It could be downloaded even in countries where Telegram is banned such as Iran and Russia as well as users in the United States.
The app also “allowed users to toggle between English or the Persian language (Farsi)”. Apparently, the app developers utilized the open-source code of the legitimate Telegram app who injected their malicious code before publishing it on the Play store.
The developer of MobonoGram 2019 app is RamKal Developers. The researchers believe that the developers published at least five updates for the app on Google Play before it was taken down.
One of the notable things about the malicious app “inspired” by Telegram is its persistence mechanism which involved a class named Autostart (android.support.translations.english.autostart) implementing a broadcast receiver. The developers also made sure that this malicious service would run in the foreground because “a foreground service is rarely killed, even when memory is low”. But even is the service is killed, it would still be able to execute itself indefinitely.
Once running, the MobonoGram 2019 malicious app contacts its command and control servers to receive URLs to access from the compromised device, a browser user agent to conceal the origin of the request, as well as three JavaScript codes.
These URLs are set to change based on the geographical location of the device’s IP address. The three JavaScript codes are employed for click fraud. It should be noted that the clicking events were not seen in action, even though all JavaScript codes were indeed loaded. The researchers, however, cannot entirely dismiss the possibility of “the malware being used for click fraud or some other malicious end“, as noted in their report.
This is not the first malicious app developed by the same group. Whatsgram is another example of the threat actors’ portfolio.