The apps capitalize on a latent demand for Telegram and Instagram apps given they are banned in the Islamic Republic. Telegram is estimated to have as many as 40 million users in the country and has been used in the past to organize popular protests against the authoritarian government.
“Once installed, some of these Telegram ‘clones’ have access to mobile devices’ full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to back-end servers, which allows the attacker to take full control of the account in use,” Cisco explained.
However, the apps are only classified as greyware or PUPs, because they do still carry out legitimate functions such as sending messages. This makes it more difficult for researchers to detect them.
“We believe this greyware has the potential to reduce the privacy and security of mobile users who use these apps,” said Cisco. “Our research revealed that some of these applications send data back to a host server, or are controlled in some way from IP addresses located in Iran, even if the devices are located outside the country.”
Also discovered were classic phishing attacks spoofing Telegram log-in pages with domains which Cisco linked to the state-sponsored Charming Kitten group.
Finally, the researchers observed BGP hijacking activity involving an Iranian telco, which could have been used to compromise communications. Cisco branded it “a deliberate act targeting Telegram-based services in the region.”
The firm stopped short of providing a solid link between the three attack types aside from their focus on Telegram, and admitted they could be used by any malicious actor, state-sponsored or not.
However, given the history of how the app is used in the repressive state, and the link to Charming Kitten, it would be understandable to assume Tehran has a hand in them.