Malicious ‘MobonoGram 2019’ app found infecting users in Iran, Russian and the US

• The app, advertising itself as an unofficial version of the Telegram, was available for download on Google Play Store.
• MobonoGram 2019, was used to spread a malware detected as Android.Fakeyouwon.

A malicious Telegram application named ‘MobonoGram 2019’ was found affecting users in Iran, Russia, and the US. The app, advertising itself as an unofficial version of the Telegram, was available for download on Google Play Store.

What are its characteristics?

According to a Symantec report, the unofficial version of Telegram, MobonoGram 2019, was used to spread a malware detected as Android.Fakeyouwon. The malicious app had garnered about 100,000 downloads before it was removed.

The app was highly used in the regions where the official Telegram app is banned and it came with more features. The researchers noted that the developers injected the malware into the app before publishing it on the Play Store.

“While the app does provide basic messaging functionality, we found it was also secretly running a few services on the device without the user’s consent, as well as loading and browsing an endless stream of malicious websites in the background,” said the researchers in a blog post.

About the persistence mechanism

The malicious app came with an ‘Autostart’ feature which enabled the app to launch itself without even waiting for user’s permission. The app also initiates additional services which go unnoticed by the user.

When these services start running in the background, they access a set of designated servers that respond with a URL, a user agent, and three JavaScript codes.

The URL is used to redirect users to fraudulent pages claiming to be gaming or adult website. Apart from this, researchers also found that there were some URLs which caused an infinite loop of requests to the website. Such activity can exhaust the device’s battery while causing the device to crash.

Another malicious app on the block

During the research, Symantec researchers also came across another malicious social messaging app named Whatsgram on the Play Store. The app was published by the same RamKal Developers who had created ‘MobonoGram 2019’.