An app styling itself as a more feature-rich unofficial version of Telegram was installed over 100,000 from Google Play only to provide minimum messaging services and to promote malicious websites.
Named MobonoGram 2019, the app used code from the legitimate Telegram messenger and added a few scripts that ran in secret on the infected device to help with persistence and with loading URLs received from the command server.
By the time security researchers found the malicious app, its developer - RamKal Developers, had already pushed five updates to the official Android store.
Available in English and Farsi, MobonoGram 2019 was available to users in regions that prohibited the use of Telegram (e.g. Russia, Iran) and would start automatically after booting the device, as well as after installing or updating an app.
It is unclear how long MobonoGram 2019 remained on Google Play, but pushing this high a number of installations was possible by redirecting users from third-party repositories to Google's official market for mobile.
www.symantec.com
