The first controlled Trojan by the Telegram messenger

The analysis carried out by Avast has revealed the first Trojan for Android, which uses the public Telegram API to program its own client for the Goggle system. This client is used in the Trojan to redirect users to downloading spyware. For now only internauts from Iran ...

The telegram, in addition to end-to-end communication encryption, which works on the AES-256, RSA-2018 and DH exchange key, allows each developer to create their own solution exchanging data between all clients in the form of an encrypted chat sent via encrypted HTTPS protocol. Traditionally, the manufacturer's server mediates exchanging messages between Telegram users. Publicly and free API allows you to program such an application that will not necessarily be used in accordance with the law.

This campaign is for the spy installed by the app from an untrusted source. In this particular case, we're talking about a Facebook scam - someone encourages users to download an application that displays information about people who have viewed the victim's account or those who have "stripped" the user's profile. In the first case, the alleged number of profile views is generated randomly.


Over 7 million profile views - it's just a pseudo-random number.

Malicious application closes after a few minutes and deletes the icon.


The user can believe that the application has been removed. However, it is not.

The Trojan works in the background. Its functions are very extensive. Spying is about stealing information from the device and sending it via an encrypted channel to a server controlled by criminals:

  • pictures of the user (he searches the gallery and uses the front camera to take pictures)
  • the contacts from the address book are stolen and from the list of incoming and outgoing calls,
  • SMS messages
  • Google account information
  • location information

Trojan developers can send various additional commands:

  • calling and sending messages
  • providing information about installed applications
  • delete files saved on the device

Interestingly, an attacker is not the only one who has access to stolen information:


Someone forgot to protect the server from prying eyes.

The spyware sends all files via a PHP script and saves them in the "/ rat / uploads" directory on the server. These files are available to everyone. Someone did not write off the data or did not pay attention to it.

To protect yourself against similar attacks, install applications only from a trusted source and pay attention to the privileges granted to installed programs.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.