Government controls lower the barrier for malfeasance

Attempts by the Iranian state to block secure instant messaging apps have spawned the development of cloned Telegram and Instagram applications under the cover of enhanced features or censorship bypass.

Although these apps allowed access to Telegram secure messaging, they also grant their operators complete access to the contacts and chats of its users.

During a presentation at BSides London on Wednesday, Paul Rascagnères, a security researcher at Cisco Talos, explained how cloned versions of Telegram are being used to spy on the public.

“The problem is not limited to rogue application stores or to state-sponsored groups, it can be deployed by any malicious actor with the proper knowledge,” according to Rascagnères.

“These attacks are possible not only due to the lack of security awareness of the public in general, but also because [secure instant messaging] developers are not doing their share to improve the security of their users.”

Spy on the wire

“Iranian government attempts to access Telegram chats through hacking are neither new nor recent,” Rascagnères told BSides London conference participants.

Telegram was used in protests against the Iranian government in December 2017 and has therefore become a particular focus of attention.

State-sponsored attackers have a varied toolkit at their disposal in attempts to remotely gain access to social media and secure messaging applications.

Cisco Talos has seen different techniques in play including fake login pages, malicious apps disguised as their legitimate counterparts and Border Gateway Protocol (BGP) hijacking, specifically targeting Iranian users of the secure messaging app Telegram and Instagram.

Once installed, some Telegram “clones” have access to mobile devices’ full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to backend servers.

In certain instances, developers add virtual currency or Farsi language support, among others.

Clear and present danger

Some of the features of Telegram are prone to be abused, according to Rascagnères, who added that lack of proper defaults and transparency from official developers of the popular app increases the scope for potential malfeasance.

Cloned versions of Telegram are distributed through local stores or (in some cases) the legitimate Google Play Store. Iranian IP addresses are blocked from accessing Apple Store due to sanctions.

Telegram and Instagram are used by millions in Iran (non-HTTPS link) in spite of government blocks and controls.

Telegram, in particular, is exceptionally popular, with its use far exceeding that on secure messaging apps like Signal and WhatsApp that are popular in the West.

Iranian users need to agree to install a developer certificate to allow a cloned app to run on their device.

“This is bad from a security perspective, but when don’t have access to the official store you have to find a way to use the application,” Rascagnères said.

In one example cited by Rascagnères, everyone who installs a cloned version of Telegram from the publisher andromedaa.ir is said to be connected to the same channel, which has racked up 1.5 million subscribers.

Andromedaa.ir develops software for iOS and Android intended to increase users’ exposure on social media networks, like Instagram, as well as the number of Iranian users on certain Telegram channels.

The owners of that channel have full access to users’ contacts, sessions, and chats. Although this access isn’t being actively abused, it is a “borderline” case, Rascagnères said.

Cisco Talos is calling on anti-malware vendors to label such apps as potentially unwanted because of the severe privacy threat they pose.

The price list on Zerodium shows the market value of exploits against mobile messenger clients running on iOS or Android devices, with prices that can reach up to $500,000 and more. This costly and technically difficult exercise can be circumvented providing you can trick a user into installing a dodgy app.

Rascagnères’ presentation at BSides offered an update on research by Cisco Talos on the privacy threats faced by Iranian users of Instagram and Telegram.

Other security firms are logging similar malfeasance.

For example, in April Malwarebytes warned that fake Instagram assistance apps found on Google Play were stealing passwords. These quickly exorcised fake apps were targeting Iranian users.