A malicious app that advertised itself as an unofficial version of Telegram was downloaded more than 100,000 times, reported Symantec security researchers.
The app is called MobonoGram 2019, and it claimed to provide more features than the official and other unofficial versions available to users. The app which was available in Google Play indeed provided some messaging functionality but its real purpose was to covertly run several services on the targeted device and load “an endless stream of malicious websites in the background”.
More about MobonoGram 2019 Malicious App
As already mentioned, the MobonoGram 2019 app was available for download on Google Play and was downloaded more than 100,000 times. It could be downloaded even in countries where Telegram is banned such as Iran and Russia as well as users in the United States.
The app also “allowed users to toggle between English or the Persian language (Farsi)”. Apparently, the app developers utilized the open-source code of the legitimate Telegram app who injected their malicious code before publishing it on the Play store.
The developer of MobonoGram 2019 app is RamKal Developers. The researchers believe that the developers published at least five updates for the app on Google Play before it was taken down.
One of the notable things about the malicious app “inspired” by Telegram is its persistence mechanism which involved a class named Autostart (android.support.translations.english.autostart) implementing a broadcast receiver. The developers also made sure that this malicious service would run in the foreground because “a foreground service is rarely killed, even when memory is low”. But even is the service is killed, it would still be able to execute itself indefinitely.
This is not the first malicious app developed by the same group. Whatsgram is another example of the threat actors’ portfolio.