Hackers Transformam Telegram em Vetor de Malware - Criptomoedas em Risco

Mensageiro popular se torna cavalo de Troia para ataques cibernéticos

O aplicativo de mensagens Telegram, amplamente utilizado pela comunidade cripto, está sendo explorado por cibercriminosos como nova porta de entrada para malware. A mesma plataforma que facilita comunicação rápida entre traders agora distribui ameaças digitais.

Vetor de Ataque Sofisticado

Hackers estão usando canais legítimos do Telegram para disseminar códigos maliciosos disfarçados de ferramentas de trading ou análises de mercado. A infraestrutura peer-to-peer do aplicativo, antes vista como vantagem de privacidade, agora serve como rede de distribuição para ameaças.

Comunidade Cripto em Alerta

Investidores digitais precisam redobrar cuidados com links e arquivos compartilhados através da plataforma. A mesma agilidade que torna o Telegram ideal para negociações rápidas também acelera a propagação de ameaças.

Enquanto isso, os mesmos bancos tradicionais que criticam a segurança cripto continuam sofrendo brechas bilionárias - ironicamente, agora através de aplicativos que eles mesmos recomendam.

Hackers weaponize Telegram with malware to gain access

The report claims that the backdoor distribution started in 2024, with the hacker primarily targeting Brazilian and Indonesian users through Portuguese and Indonesian language templates. The victims come across advertisements within the mobile application, which redirect them to fake app catalogs featuring fake reviews and promotional banners advertising free video chats and dating opportunities. These fake websites deliver apps infused with malware that look the same as the legitimate ones.

Aside from the malicious websites, the backdoor has also infiltrated established third-party repositories, including APKPure, ApkSum, and AndroidP, where it is deceptively posted under the official messenger developer’s name despite having a different digital signature.

Analysts identified the malware as having an exceptional capability to steal confidential information, which includes login credentials, passwords, and complete chat histories. The backdoor also hides compromised account indicators by hiding third-party device connections from active Telegram session lists.

In addition, it is capable of removing or adding its victims to channels and chats without their approval, disguising these actions entirely, and transforming compromised accounts into tools for artificially inflating Telegram channel subscribers.

What sets it apart from conventional Android threats is its use of the Redis database for command-and-control operations. The earlier versions of the malware relied on traditional C2 servers, but the developers have integrated Redis-based commands.

Malware manipulates functionalities without detection

The report claims that the backdoor uses multiple techniques to manipulate messenger functionalities without being detected. For operations that won’t interfere with core app features, the hackers use already prepared mirrors of messenger methods, which are separate code blocks responsible for specific tasks within the Android program architecture.

This mirror allows the app to display phishing messages within windows that perfectly replicate the original Telegram X interfaces.

For other operations that require deeper integration, the malware uses the Xposed framework to modify the app methods, allowing abilities like hiding specific chats, concealing authorized devices, and intercepting clipboard contents. The backdoor malware uses the Redis channels and C2 servers to receive extensive commands, including uploading SMS, contacts, and clipboard contents whenever a user minimizes or restores the messenger window.

The clipboard monitoring is used by hackers to steal data, such as crypto wallet passwords, mnemonic phrases, or confidential business communications that were unknowingly exposed. The backdoor collects device information, installed application data, message histories, and authentication tokens, and transmits the information to the hackers every three minutes while maintaining the appearance of a normal Telegram messenger operation.

Get $50 free to trade crypto when you sign up to Bybit now