John Leyden 06 Jun 2019 at 15:31 UTC
Updated: September 05, 2019 at 14:34 UTC
Government controls lower the barrier to wrongdoing
Attempts by the Iranian state to block secure instant messaging apps spawned the development of cloned Telegram and Instagram apps under the guise of enhanced functionality or censorship bypass.
While these apps provided access to Telegram’s secure messaging, they also grant their operators full access to its users’ contacts and chats.
During a presentation at BSides London on Wednesday, Paul Rascagnères, security researcher at Cisco Talos, explained how cloned versions of Telegram are used to spy on the public.
“The problem is not limited to rogue app stores or state-sponsored groups, it can be deployed by any malicious actor with the appropriate knowledge,” according to Rascagnères.
“These attacks are possible not only because of the lack of security awareness of the general public, but also because [secure instant messaging] developers are not doing their part to improve the safety of their users.
Spy on the wire
“The Iranian government’s attempts to gain access to Telegram chats through hacking are neither new nor recent,” Rascagnères told attendees at the BSides conference in London.
Telegram was used during protests against the Iranian government in December 2017 and has therefore become a focus of special attention.
State-sponsored attackers have a varied toolkit at their disposal to attempt to access social media and secure messaging apps remotely.
Cisco Talos has seen different techniques at play, including bogus login pages, malicious apps disguised as their legitimate counterparts, and Border Gateway Protocol (BGP) hijacking, specifically targeting Iranian users of the Telegram and Instagram secure messaging app. .
Once installed, some Telegram “clones” have access to contact lists and full messages from mobile devices, although users are also using the legitimate Telegram app. In the case of fake Instagram apps, the malware sends the full session data back to the back-end servers.
In some cases, developers add support for virtual currency or Farsi language, among others.
Clear and present danger
Some of Telegram’s features are subject to abuse, according to Rascagnères, who added that the lack of proper defaults and transparency from the official developers of the popular app increases the risk of potential malfeasance.
Cloned versions of Telegram are distributed through local stores or (in some cases) the legitimate Google Play Store. Iranian IP addresses cannot access Apple Store due to sanctions.
Telegram and Instagram are used by millions of people in Iran (non-HTTPS link) despite government blocks and controls.
Telegram, in particular, is exceptionally popular, with its use far exceeding that of secure messaging apps like Signal and WhatsApp which are popular in the West.
Iranian users must agree to install a developer certificate to allow a cloned app to run on their device.
“It’s bad from a security point of view, but when you don’t have access to the official store, you have to find a way to use the app,” Rascagnères said.
In an example cited by Rascagnères, anyone who installs a cloned version of Telegram from publisher andromedaa.ir would be connected to the same channel, which has 1.5 million subscribers.
Andromedaa.ir develops software for iOS and Android aimed at increasing user exposure on social networks, such as Instagram, as well as the number of Iranian users on certain Telegram channels.
Owners of this channel have full access to user contacts, sessions, and chats. While this access is not subject to active abuse, it is a “borderline” case, Rascagnères said.
Cisco Talos calls on anti-malware software vendors to label these apps as potentially unwanted due to the serious privacy threat they pose.
The price list on Zerodium shows the market value of exploits against mobile email clients running on iOS or Android devices, with prizes up to $ 500,000 and up. This expensive and technically difficult exercise can be bypassed provided you can trick a user into installing a questionable application.
Rascagnères ‘presentation to BSides provided an update on Cisco Talos’ research into the privacy threats facing Iranian Instagram and Telegram users.
Other security companies are recording similar embezzlements.
For example, in April, Malwarebytes warned that fake Instagram helper apps found on Google Play were stealing passwords. These quickly exorcised bogus apps targeted Iranian users.