Investigations

APKPure Served a Data-Stealing Imposter of Telegram

A repackaged Telegram APK on APKPure contained a collector that exfiltrated messages, media and contacts to a server previously running a simple Collector Dashboard.

VPNrevie.ws

VPNrevie.ws

3 min read
Share
The VPNrevie.ws mascot, a pine marten, investigates a fake telegram that is drawn over with a cross. Under it, the "security check complete" dialogue from APKPure

The Telegram app offered on APKPure in recent days was not Telegram. Or rather, it was a repackaged build carrying extra code that collected messages, media, contacts and location data, then sent them to a random server at 38.190.225.166.

Eric Parker first flagged that the Telegram app offered on APKPure included a class named DataCollector sitting inside the package. That single class watched the device media store, captured message attachments and read the phone contact list. It also pulled basic SIM information and location when the app came to the foreground. All of this was queued locally before being uploaded over HTTPS to endpoints under /api/.

The APK carried version 12.6.5, which is not the current release of Telegram.

The promise of safety on APKPure's website on one side. The malicious class on the other side, as seen in jadx. (Click or tap on the screenshots to enlarge)

A vibe-coded C2 dashboard

A researcher posting as @EmoWolfTwink documented that the same IP previously ran a lightweight web interface titled Collector Dashboard. According to Shodan.io records, it was a Vue.js application served by nginx and protected only by a self-signed certificate issued under the name Collector-CA. The dashboard appears to be no longer reachable.

Collector login screenshot with Chinese text, electric blue over grey, following the telegram colour scheme
Screenshot of the C2 dashboard by @EmoWolfTwink on X Chinese text on the login screen: 管理员登录: Administrator Login 用户名: Username 密码: Password 登录:Login

Signing certificate mismatch

The package was signed with a certificate that does not match Telegram’s official key. This was repackaging, not a stolen developer key or a breach of Telegram’s build infrastructure. Telegram publishes reproducible build instructions so users can verify that a downloaded file matches the published source. This sample fails that check. Yet, APKPure did not detect the issue, and still displayed a seal of trust and still does at the time of publication

On the left, the real APK signature, for Nikolay Kudashov, the longtime Telegram developer for Android. On the right, the certificate for the modified malicious build only has "Android Developer" as name, and Telegram as the organisation.

Was it detected by Android antivirus vendors?

Screenshot of the VirusTotal page for the malicious telegram sample, only one lab detects it while all the others display the undetected checkmark

At the time of writing, only AhnLab detected the malicious APK on VirusTotal as Trojan/Android.SpyAgent.1166552.

You can find the sample for further analysis on MalwareBazaar, where so far only FileScan and Incinerator classify it as dangerous.

Where to find the real app

Get Telegram from the Google Play Store or directly from telegram.org/apps. Both routes deliver properly signed, up-to-date builds with automatic updates. Third-party APK mirrors introduce exactly this supply-chain risk, particularly for apps that handle private communications.

If you installed the APKPure version recently, remove it now.

Key indicators (IoCs)

  • SHA-256: 7d44e0009d251ae4983f5bf29f7d8aa9af668df88dba05a17a7a314f6780ceff
  • C2 address: 38.190.225.166 (previously serving the Collector Dashboard)
  • Observed endpoints: /api/collect, /api/collect_batch, /api/config, /api/image, /api/doc, /api/media, /api/avatar

Read more