cross-posted from: https://piefed.world/c/tech/p/1146502/telegram-apk-from-apkpure-is-a-spyware

On analyzing the APK with jadx, it contains a class DataCollector, which does not exist in the .apk file downloaded from the official Telegram website.

This class collects a lot of your data, including:

  • Your photos, videos, and files
  • Your contacts
  • Your messages
  • Your GPS Coordinates
  • Your SIM card information
  • Your Telegram profile

This data is monitored and uploaded continuously. All the data is uploaded to a server with IP Address 38.190.225.166

💬 Initial discovery by Eric Parker

🔗 APK Analysis: Part 1 | Part 2.

Source on Telegram.

  • corsicanguppy@lemmy.caEnglish
    5·
    1 day ago

    YSK: as a mass noun, ‘spyware’ doesn’t need the indefinite article. We don’t “a happy”, for instance, and we heckle those who say “a software”.

  • DupaCycki@lemmy.world
    38·
    2 days ago

    Who downloads Telegram’s apks from third party sources if they’re freely available on Telegram’s official website?

    It’s literally the first result when you search for “telegram apk” (DuckDuckGo). Followed by apkpure.

  • clb92@feddit.dkEnglish
    42·
    2 days ago

    So APKPure is not trustworthy? Do they not have any verification of APKs?

    • Mercer@nord.pubEnglish
      7·
      2 days ago

      maybe there were before, but now something has changed, I would recommend looking at alternatives to this site, for example in fmhy(.)net or in alternative net, but I would download the application from official sources, like the play market or open source programs in f-droid

      • clb92@feddit.dkEnglish
        14·
        2 days ago

        I know that APKMirror supposedly verifies the APK files’ hashes against official sources, so APKs you get there should be fine, unless the developer was compromised at some point, or unless APKMirror itself is lying, but it is run by the people behind Android Police, as far as I know.

    • quick_snail@feddit.nl
      1·
      2 days ago

      If it’s in the official fdroid, it’s met some very strict inclusion criteria.

      Read the anti feature warnings it’s all very clear.

    • Staff@piefed.worldEnglish
      3·
      2 days ago

      Forkgram is kinda sus in my phone. It’s always opening notifications. Sometimes when I open the browser. I keep wondering if it’s just me

  • mfed1122@discuss.tchncs.deEnglish
    8·
    2 days ago

    This is why it really sucks that app developers offering their APKs directly isn’t more common, forces people to turn to sites like this. I’ve installed apps from apkmirror just because I want to avoid Google Play. I don’t really understand why there isn’t some third party app store that helps lift the hosting+verification burden from developers but still doesn’t rely on randos uploading apks from gplay.

    What a great world it would be if every time you went to some software’s website with an app, they had that “download from google play” button right next to a “download from <this other legit Store>” button so you know its their real account, and a “download apk” button, because why not put some faith in users?

  • stat_rosa@lemy.nlNederlands
    3·
    2 days ago

    This is the thing that worries me. I’m currently Degoogling and relying on sources like F-Droid, but these sneaky tricks seem unavoidable

  • JohnDarlen@lemmy.today
    4·
    2 days ago

    That’s why I’m extremely strict about permission I allow on my apps. My Telegram is official but still has no permission on contacts, camera or images/files.

    • Luffy@lemmy.ml
      9·
      2 days ago

      What? There were so many ways to not download this, from using a certificate provided by telegram to… Well just downloading it from telegram directly.

      This is not something that would need such drastic actions as blocking everything thats not from one authority, and even with that I’ll remind you that google as an authority has in no way better standards in many ways.

      Also, feddit.UK, so show me your I’d.