Unofficial telegrams and privacy in iran

M4cr0s
M4cr0s
Jun 8 · 6 min read

For more than a few years, Telegram is the main and most popular messenger among Iranians, After many events, the Iranian government decided to block the telegram, after blocking the telegram, there were very bad conditions for cyberspace and people in Iran

The use of VPNs and proxies increased, and mobile malware became more widespread due to the fact that a large part of the population did not use the markets to install the apps they needed.

after a while with the release of a telegram mtproto proxy, most people used proxy and VPN and almost blocked the telegram could not stop using it, at the same time, two unofficial telegram clients came out with the name of the Golden Telegram AKA (talagram) and the Hotgram, These versions used their internal and free proxies to bypass censorship, That’s why a lot of people turned to them because they were free and available

at the first, there was no specific information from the creators of these versions, but it was revealed by research that the release was developed by a company called Iran’s Intelligent Solutions Land (SLS).

But this version has weird access and can do things such as

. Prevent access to some channels (what they want)

. Collect channels and groups which the user subscribes

. Sending messages from the user without knowing him or deleting some of his channels, as well as subscribing to any channel

. Reports the channels with users’ accounts without their knowledge

. open specific URL and etc.

(According to research in May 2108)
“Some of these cases have already been corrected”

For example, this link is a config link that receives in an application, There is a list of channels that are restricted to their access and there is also a Ad text that the app sends out without user’s notice

http://lh5.talagram.ir/v1/config?appVer=400&apiVer=12&slt=1451531004625&appId=3

talagram privacy policy

Even after these cases were detected, the developers of these apps were still not clear
There were also whispers that the Golden Telegram and the Hatgram were backed by the Ministry of Intelligence and Government (There is no evidence for this)
actually golden telegram and hologram was breaking the law and bypass censorship, it’s basically illegal (if you want to do such a thing) but these apps are OK
And another important point is that some proxy servers are inside Iran

And i was like

These versions suffered from major problems for their security, for example

proxies, that they could receive and use in other applications

You can get fresh proxy from links like that
http://lh58.hotgram.ir/v1/proxy?slt=54199123&appId=3

proxy is encrypted with AES and you can decrypt it with key “KCH@LQj#>6VCqqLg’’ (in some cases key are hardcoded in the app or deliver with JSON)

unofficial editions or colorful telegrams or malware

gradually hackers and fraudsters developed their own unofficial version and attracted the user for install with a lot of advertising in the telegram or marketplace

this ad has got 12 million views

ad banner with 12.2m view

This graph shows part of the unofficial telegrams that use Golden telegram (talagram) proxies (jun, 2018)

virus total graph jun 2018

This type of malware could have complete control over the user account, such as a

. force add a user to channels and won’t let them leave
. force users to view specific content
. force users to send ad messages in which groups user subscribes
. force user to hidden browse a URL, make botnet with users for DDOS purposes
. add users in VAS service or use them to send spam sms
. Have an access to users sms or some id information

and all of that happened without user knowledge

They sold their users as members, for example, you can add thousands of real users to your channel for a fee
Or show the content you have to thousands of real users while they do not know what happened
This version even sends promotional messages from the user without the user’s knowledge

they provide some service to force hidden install another app on users phone or send push notification and ads base on the user’s location

new C&C method

The fraudsters also launched a business for the same thing and created websites with the theme of member sales
All of these unofficial versions use proxies were taken from the Golden Telegram and the Hatgram
“In some cases, unofficial versions were spying”
According to the reviews, by decompiling unofficial versions we could access the URLs and APIs that were associated with them, and so find the developers.
But after a while, they used another method for their command and control server, they use push notification services and JSON as a C&C server
for example, they send commands as JSON objects and then parse that to a command they defined already in the app

In this way, researchers and malware hunters cannot find accurate information about the application and its developers, and can not even be able to statically identify what malware is capable of, They can only find the push notification service token, which will not give them the relevant information
now, unofficial telegrams have caused many people to use infected versions that hackers and fraudsters can use for their own purposes,
And the available access and the ability to display advertisements compulsorily to many people has made Iran’s cyberspace a good place to spread malware

and some of them use tor network

So now you can pay for an unofficial telegram that you can advertise and collect users, then you can control all your users through the push notification panel and benefit from them.

Considering that Google has removed some of these apps in recent days, Some of these apps require users to disable Google play protect before working on them

unofficial editions instruct to disable Google play protect

From the outset, the telegram could have prevented these events with block unofficial editions but did not do so.
durov merely says that the unofficial versions are unsafe but he doesn’t do anything about that