A bogus version of the messaging app Telegram infected downloaders’ phones with a pernicious strain of malware that sent devices searching for malicious sites on an endless loop, according to Symantec research published Monday.
The MobonoGram 2019 app was downloaded more than 100,000 times — mostly by users in Iran, the U.S. and the United Arab Emirates — before it was scrubbed from Google’s marketplace. The program’s developers borrowed open-source code from the real Telegram app, a program that provides encrypted messaging, while adding code that forced the app to try to connect to gaming sites, pornography and other suspicious URLs on a constant basis.
The app also contained Android.FakeYouWon, a malware that displays websites promoting fake offers and scams.
RamKal Developers, which posted the app to the Play Store, also was behind a social messaging app, Whatsgram, that demonstrated much of the same behavior, according to Symantec. That app also has been removed from the marketplace.
Google administrators charged with keeping the Play Store safe have been busy in recent months. One app, detected by the mobile security company Wandera, tried collecting username and password credentials from many of its 50,000 users who thought they were downloading a zombie game. The Play Store also removed 111 apps uncovered by Trend Micro that served deceptive ads that were almost impossible for users to escape.
These issues are endemic of a larger problem in the Play Store: that app creators can cloak their malicious intention behind encrypted code or time delays to act in nefarious ways only when the program is on thousands of devices.