The Hidden Dangers of Telegram Mods on Google Play

The Google Play Store, a hub for millions of apps, has been recently targeted by malicious Telegram clones, jeopardizing the security of thousands. These mods, eerily similar to the original and laden with spyware capabilities, pose a substantial threat to individual and business users alike.


Telegram, an encrypted messaging application, allows and encourages the development of “mods” – modified versions of the original software to enhance user experience. While most mods are developed with user benefits in mind, this openness has inadvertently given cybercriminals an opportunity to exploit unsuspecting users.

Masquerading as “faster” alternatives to the conventional Telegram app, these malignant clones have successfully eluded Google Play’s security measures. They predominantly target Chinese-speaking users, with app descriptions available in traditional Chinese, simplified Chinese, and the Uyghur language. A particular subset of these deceptive apps goes by “Paper Airplane,” which entices users with the promise of faster performance, attributing it to a global network of data centers.

The malevolent clones are distinguished from the genuine Telegram app by an embedded module – a powerful spyware that tracks all messenger activities, from collecting contacts to intercepting messages.

The staggering number of downloads – more than 60,000 – highlights the severity of the issue. The Uyghur-targeted version is especially alarming, considering the past surveillance and persecution faced by this ethnic minority by government agencies.

These revelations raise concerns for businesses, especially in light of the growth of mobile spyware and the vast personal and corporate data housed in smartphones. With businesses now leaning heavily on messenger apps for day-to-day communication, such findings serve as a stark reminder of the omnipresent cyber threats.

In response to these findings, Google initiated the removal of these deceptive Telegram clones from its store. Some of these apps had accumulated up to 10,000 downloads before their eventual removal. Nonetheless, concerns persist as not all versions of the malicious apps have been eradicated from the Play store.

Counterfeit apps have long been a staple in the hacker’s toolkit. Recent revelations exposed another scheme where hackers circulated bogus versions of Signal and Telegram through legitimate app stores to implant information-stealing malware. Another spyware-infused version of Telegram, labeled “FlyGram,” was identified on both Google Play and the Samsung Galaxy Store, as was a trojanized version of the Signal app, named Signal Plus Messenger.

Businesses, to safeguard their interests, are being advised to caution employees about the risks of third-party apps, even when sourced from reputed app stores. Users are encouraged to be vigilant, paying attention to details like the developer and negative user reviews, not just the app’s name.

Want to secure your devices and data from cyber threats? Download ZoneAlarm