Analysis of a Scam: Fake Telegram Client (BlackGram) ?>

Analysis of a Scam: Fake Telegram Client (BlackGram)

I’m officially contributing to project where we analyze the growing trend of android malware and scam campaigns spreading via Telegram messenger in Iran. Since Telegram is the dominant messaging application used by Iranians, scammers have built their tools and services on top of this infrastructure. We have observed scam campaigns where they take your money but don’t deliver the service they promised and we have also observed the case where various social engineering techniques are used to get access to client contacts or add them to their advertisement channels. These guys are operating channels with 170,000+ members, and using their group of channels, they accept what they call “mass advertisement” requests with predefined payment plans e.g 20,000 views for about 12$. In this post we’ll analyze a scam using a fake telegram client.

The Black Telegram

As we continue our analysis, we find the same technique being applied by likely a small group of people behind these campaigns. The back end server handling the payment and registration process is the same for many of these applications, they have registered payment gateways that are doing a real business to help with money laundering. We’re yet to derive the trend of their monetization techniques and infection vectors so for this blog post, I plan to analyze a fake telegram client named “The Black Telegram” or “BlackGram”. It is supposed to be an android telegram client with black theme.

Since telegram’s android client has an opensource repository on Github (, all it takes for someone to publish a trojanized version of this client is some knowledge of java. The file I analyzed was TelegrameSiah.apk, a normal android application with a code base very similar to telegram, the only clear difference was that the package name for this application was org.telegram.messenger.bazd.

There’s a “Start” button on the page when you start BlackGram, which then brings the screen where you enter in your phone number:

We went ahead and activated our account on this device, we were then automatically added to two channels each with 170,000 members:

But that’s not what you see from the BlackGram’s application, what you see is a screen asking you to enter in the activation pin, which then redirects us to a payment page asking for an amount of 3$ in Rials.

One other noticeable thing was that the payment gateway was registered with a bogus company name and fake company domain address which looks like never existed! Don’t know how they bypassed the whole verification process to activate their payment gateway.

Anyways, after making the payment, they offer you to install two additional apps as a gift that you won! The professional Tracker and Telegraph which I haven’t analyzed yet but I assume are another type of scam. But after paying for the application, nothing happens on the client side, it’s just a dead end and the client doesn’t even work! Seriously fix your shit :)).

Analyzing BlackGram

Now that we know what this application does, let’s take a look at its code to see if there are any hidden functionalities that we missed. First off I decompiled the apk, I also got the official telegram application matching the version number for BlackGram which was 3.13.1 (8511). I used jadx to decompile the application and convert it to java source code. I then used diff with -r flag to recursively compare files in the official telegram client and BlackGram and find what’s modified.

As it turns out, some variable names have been changed, some resources are converted to Farsi, most of which we can ignore (Download output of diff command). The main difference lies in

Line numbers 70-147 were original Telegram codes building the main UI which are replaced with lines 156-231 which load the custom UI asking for activation and payment.

JoinChannel method is added to the code and is called with two hash values AAAAAEDRX8ZG4nAAFDu0OA and AAAAAEGvmODHTEP5rWs4Hg, if you put them in the URL for Telegram channels you get: and

This code also creates a view from xml resource file in lines 156 and 157 using LayoutInflater.inflate() method. This view is shown on top of original telegram ui and the code creating the original view is removed. So this is how you get to the payment page. As simple as that you are scammed to make a payment and you’ve also joined their channels and their advertisement network which brings them even more income.

There’s more interesting information about this campaign but I’m holding it for later.



Leave a Reply

%d bloggers like this: