Fake Telegram app on more than 100,000 phones infected U.S., UAE Androids

The Android malware pushed fake prizes to generate click fraud. The program’s developers borrowed open-source code from the real Telegram app.
Telegram app, WhatsApp
(Getty Images)

A bogus version of the messaging app Telegram infected downloaders’ phones with a pernicious strain of malware that sent devices searching for malicious sites on an endless loop, according to Symantec research published Monday.

The MobonoGram 2019 app was downloaded more than 100,000 times — mostly by users in Iran, the U.S. and the United Arab Emirates — before it was scrubbed from Google’s marketplace. The program’s developers borrowed open-source code from the real Telegram app, a program that provides encrypted messaging, while adding code that forced the app to try to connect to gaming sites, pornography and other suspicious URLs on a constant basis.

The app also contained Android.FakeYouWon, a malware that displays websites promoting fake offers and scams.

Symantec’s discovery of MobonoGram 2019 provides the latest reminder that scammers use programs in the Google Play Store as Trojan horses to infiltrate users’ phones. Many international users would have been tempted to download this program because it was available at least between January and May in countries where Telegram has been banned. Meanwhile, the would-be Telegram included three JavaScript codes to remotely control the program once it was on users’ phones.


“Looking at the three JavaScript codes, we initially believed that the app was originally designed to simulate clicking behind the scenes in order to generate ad revenues and increase web traffic (click fraud),” the researchers wrote in a blog post. “However, the clicking events were not seen in action, even though all JavaScript codes were indeed loaded. Nonetheless, we cannot entirely dismiss the possibility of the malware being used from click fraud or some other malicious end.”

RamKal Developers, which posted the app to the Play Store, also was behind a social messaging app, Whatsgram, that demonstrated much of the same behavior, according to Symantec. That app also has been removed from the marketplace.

Google administrators charged with keeping the Play Store safe have been busy in recent months. One app, detected by the mobile security company Wandera, tried collecting username and password credentials from many of its 50,000 users who thought they were downloading a zombie game. The Play Store also removed 111 apps uncovered by Trend Micro that served deceptive ads that were almost impossible for users to escape.

These issues are endemic of a larger problem in the Play Store: that app creators can cloak their malicious intention behind encrypted code or time delays to act in nefarious ways only when the program is on thousands of devices.

Latest Podcasts