{"id":72528,"date":"2023-01-14T06:00:00","date_gmt":"2023-01-14T04:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=72528"},"modified":"2025-09-09T01:13:12","modified_gmt":"2025-09-08T22:13:12","slug":"trojanised-telegram-a-fake-pokemon-nft-game-and-other-cybersecurity-events","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/trojanised-telegram-a-fake-pokemon-nft-game-and-other-cybersecurity-events\/","title":{"rendered":"Trojanised Telegram, a fake Pokemon NFT game and other cybersecurity events"},"content":{"rendered":"<p>We have gathered the week&#8217;s most important cybersecurity news.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Users fell victim to espionage via a trojanised Telegram.<\/li>\n<li>A fake Pokemon NFT game allowed hackers to take control of Windows devices.<\/li>\n<li>Data of 200 million Twitter users was made public.<\/li>\n<li>MetaMask warned of a new cryptocurrency scam.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>Users fall victim to espionage by trojanised Telegram<\/strong><\/h2>\n<p>ESET researchers uncovered a fake Shagle app, a trojanised version of the Telegram Android app with a backdoor added to its code.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">This week, the ESET research team published their findings about an espionage campaign by the StrongPity APT group that spreads a fully functional, but trojanized version of the legitimate Telegram app for Android.<\/p>\n<p>\u25b6\ufe0f Watch <a href=\"https:\/\/twitter.com\/hashtag\/WeekInSecurity?src=hash&#038;ref_src=twsrc%5Etfw\">#WeekInSecurity<\/a> with <a href=\"https:\/\/twitter.com\/TonyAtESET?ref_src=twsrc%5Etfw\">@TonyAtESET<\/a> to learn more. <a href=\"https:\/\/t.co\/Ch7fZIYDuc\">pic.twitter.com\/Ch7fZIYDuc<\/a><\/p>\n<p>\u2014 ESET (@ESET) <a href=\"https:\/\/twitter.com\/ESET\/status\/1613894655673880576?ref_src=twsrc%5Etfw\">January 13, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The malware distribution is attributed to the hacker group StrongPity.<\/p>\n<p>The legitimate Shagle platform provides random encrypted video chats, but it is web-first and has no dedicated mobile app. Since 2021, StrongPity has distributed malware masquerading as the official Shagle site.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/CvGDQkRdmoNNa-5JIvA8msqrJ5H642SSW4DsJqinemNAY9wkmV8awkBTYG3qUAgjCauBB3YtI5kB-FlqaRtweQM7F1vGXJ6a0610uSpV3Pgt-EXZsRw9kIy1LQc4et8hsiTFPfgzv9bq7iOcrDCePalussO4n96-gVOWjFiJd_ENnUFDsRaY6aUS300M3A\" alt=\"Trojanised Telegram, a fake Pokemon NFT game and other cybersecurity events\"\/><figcaption>Legitimate site on the left and the fake one on the right. Data: ESET.<\/figcaption><\/figure>\n<p>After installation, the app allows hackers to monitor victims by recording calls, tracking device location, collecting SMS messages, call logs, contacts, and files. The collected data ultimately makes its way to the hackers&#8217; command-and-control server.<\/p>\n<p>The malware&#8217;s permissions enable it to read incoming notifications and messages from various apps, including Gmail, Kik, LINE, Facebook Messenger, Skype, Snapchat, Telegram, Tinder, Twitter, Viber and WeChat.<\/p>\n<p>Additionally, on devices with full administrative privileges, the malware can automatically change security settings, write data to the filesystem, and reboot the phone.<\/p>\n<p>ESET analysts suspect that links to the fake Shagle site were spread via phishing email campaigns, SMS phishing, or instant messages on online platforms.<\/p>\n<p>The hackers&#8217; site is currently inactive.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Fake Pokemon NFT game allowed hackers to gain control of Windows devices<\/strong><\/h2>\n<p>Through a fake Pokemon card game site, attackers distribute the NetSupport remote access tool to gain control over victims&#8217; devices. According to <a href=\"https:\/\/asec.ahnlab.com\/en\/45312\/\">experts at ASEC<\/a>.<\/p>\n<p>According to the site, the strategy game is based on the Pokemon franchise and promises users extra earnings from NFT investments.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/f3Kls3gRguSChsS-bXVYetofN8uoi5os_m5s1elqgbChyP7OU00tgUjC2Krq_Rqhqecl4HJPhp_dbwA7UTWGmUE0IWMNVYoyfgUum7-2i-TQpbAxVGmzJvnhLvg4kK55oHqOAlC-w5zAb0RLmYJQmt3XdefX_c509whxoeGyfcPU-1J-tiIYO0gqbBNTaQ\" alt=\"Trojanised Telegram, a fake Pokemon NFT game and other cybersecurity events\"\/><figcaption>Data: ASEC.<\/figcaption><\/figure>\n<p>Clicking the &#8216;Play on PC&#8217; button downloads an executable that looks like a standard game installer but actually installs the NetSupport remote access tool on the victim&#8217;s system. Although NetSupport Manager is legitimate software, attackers typically use it in their malware campaigns.<\/p>\n<p>It enables hackers to remotely connect to the infected device to steal data, install other malware, or attempt further propagation across the network.<\/p>\n<p>The first signs of activity for this campaign appeared in December 2022. At the time of writing, the site was still accessible.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Data of 200 million Twitter users exposed online<\/strong><\/h2>\n<p>Another Twitter user data leak was documented on the well-known Breached hacker forum. As reported by <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/200-million-twitter-users-email-addresses-allegedly-leaked-online\/\">Bleeping Computer<\/a>, the 59-GB dump contains information on 200 million profiles.<\/p>\n<p>The hacker valued the database at $2.<\/p>\n<p>In total, 211,524,284 unique email addresses were exposed. The dump also includes names, usernames, follower counts and account creation dates.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/XQcwwyr1YNQAj72EcqxOTKLZdP9pjTjwfABdEWbznkBTOVgzXAfSq1hd23LZQRzhHXgPw-csxelXb0S4swkuqd5yi_9eTUGBEmMSXDPYO0_cs6_W9mZXlDMR37jYb7DZHG1rJw9A_kl_kTE8QdK-cz9lV-rX9IIIHPaK9-y9JqZygprRdF4DNG-0ZNTpwA\" alt=\"Trojanised Telegram, a fake Pokemon NFT game and other cybersecurity events\"\/><figcaption>Data: Bleeping Computer.<\/figcaption><\/figure>\n<p>Twitter representatives stated that user information was not obtained through the previously identified vulnerability in the API related to the Android client authentication process.<\/p>\n<p>In December 2021, that vulnerability could be used to send phone numbers and email addresses to obtain a Twitter ID. The bug was fixed in January 2022.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abThe aforementioned dataset of 200 million users cannot be correlated with the incident previously reported or any information obtained from exploiting Twitter systems\u00bb, \u2014 said Twitter representatives.<\/p>\n<\/blockquote>\n<p>Twitter stressed that the dump did not contain passwords or information that could lead to password compromises.<\/p>\n<h2 class=\"wp-block-heading\"><strong>MetaMask warns of a new cryptocurrency scam<\/strong><\/h2>\n<p>The non-custodial wallet MetaMask warned of a new scam called &#8216;Address Poisoning,&#8217; which makes users send funds to the scammer instead of the intended recipient.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">A new scam called \u2018Address Poisoning\u2019 is on the rise. Here\u2019s how it works: after you send a normal transaction, the scammer sends a $0 token txn, \u2018poisoning\u2019 the txn history. (1\/3)<\/p>\n<p>\u2014 MetaMask Support (@MetaMaskSupport) <a href=\"https:\/\/twitter.com\/MetaMaskSupport\/status\/1613255316870729728?ref_src=twsrc%5Etfw\">January 11, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Hackers poison the transaction history and replace wallet addresses with ones that resemble those used in recent transfers.<\/p>\n<p>Then the attacker sends a small amount of cryptocurrency to the victim&#8217;s address or even a zero-value transaction so it shows up in the wallet history. Because MetaMask shortens addresses in the transaction history, it creates the impression that this is the same person&#8217;s address.<\/p>\n<p>The attacker then waits for the victim to use his address in a subsequent transfer.<\/p>\n<p>There is no foolproof way to prevent this kind of fraud, so MetaMask warns users to be careful when copying addresses from transactions.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Darknet marketplaces shift to Android apps<\/strong><\/h2>\n<p>From Q3 2022, drug-trafficking darknet marketplaces began using their own Android apps to increase privacy and avoid law enforcement attention, according to Resecurity.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Resecurity has released a report on drug trafficking in the Dark Web, highlighting the new communication methods used by criminals such as proprietary Android-based mobile apps and the launch of the new underground marketplace KRAKEN. Learn more\ud83d\udc47:<a href=\"https:\/\/t.co\/jpJDOuCuNB\">https:\/\/t.co\/jpJDOuCuNB<\/a> <a href=\"https:\/\/t.co\/79EuibnCo9\">pic.twitter.com\/79EuibnCo9<\/a><\/p>\n<p>\u2014 Resecurity\u00ae (@RESecurity) <a href=\"https:\/\/twitter.com\/RESecurity\/status\/1612370959952146432?ref_src=twsrc%5Etfw\">January 9, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to them, at least seven trading platforms \u2014 Yakudza, TomFord24, 24Deluxe, PNTS32, Flakka24, 24Cana and MapSTGK \u2014 released <span data-descr=\"Android Package Kit \u2014 a format of archived executable files for Android and several other Android-based operating systems.\" class=\"old_tooltip\">APK<\/span> files of their own Android apps.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/nyfiNQoYbIVBCPCkt5tpjPNiCFvqCe6Axs1yAAUtskX0b6zE4sIlWs7TNbG4t3unmEykzOMCX9_0X0RKhqw77pEPRk03wKwzW0y_QNZqL6lYLzpFG6u0R1kWRjjOXAVc9HDWtp3UR1o8IGRRkC3vzr9ts-fz5a95xRsXLnTaMKrIrEEN_H1riRjDofWCLQ\" alt=\"Trojanised Telegram, a fake Pokemon NFT game and other cybersecurity events\"\/><figcaption>Data: Resecurity.<\/figcaption><\/figure>\n<p>Experts suggested this was a response to last year\u2019s law-enforcement actions, notably the <a href=\"https:\/\/u1f987.com\/en\/news\/german-police-confiscated-hydra-servers-and-seized-543-btc\">closure of Hydra marketplace<\/a>.<\/p>\n<p>Mobile apps allow transmitting data about drug orders and sending the courier&#8217;s geographic coordinates of the stash. Information sharing across apps creates fragmentation and hampers law enforcement from tracking criminals.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Experts logged a breach affecting 3.5 million Mail.ru users<\/strong><\/h2>\n<p>Data from one of Mail.ru\u2019s services was made public. The Telegram channel \u201cInfo Leaks\u201d reports on this.<\/p>\n<p><script async=\"\" src=\"https:\/\/telegram.org\/js\/telegram-widget.js?21\" data-telegram-post=\"dataleak\/2863\" data-width=\"100%\"><\/script><\/p>\n<p>The published database includes more than 3.5 million rows, including:<\/p>\n<ul class=\"wp-block-list\">\n<li>nickname, first name, last name and user ID;<\/li>\n<li>email address on mail.ru domains, corp.mail.ru, bk.ru, inbox.ru and list.ru;<\/li>\n<li>mobile phone number.<\/li>\n<\/ul>\n<p>In total, 1,647,711 unique phone numbers are in the database. A random check via the account.mail.ru password-recovery form confirmed that the leaked entries belong to real users.<\/p>\n<p>Mail.ru said that users are not under threat and that the service is &#8220;secure.&#8221;<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abThe published data relate to a leak from a third-party resource in early 2022\u00bb, \u2014 according to the company&#8217;s press service.<\/p>\n<\/blockquote>\n<p>The company is investigating the incident.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>CoinMarketCap accused of conducting <a href=\"https:\/\/u1f987.com\/en\/news\/coinmarketcap-accused-of-conducting-fake-airdrops\">fake airdrops<\/a>.<\/li>\n<li>CFTC filed a lawsuit against participant <a href=\"https:\/\/u1f987.com\/en\/news\/cftc-files-suit-against-participant-in-mango-markets-defi-attack\">in the Mango Markets DeFi attack<\/a>.<\/li>\n<li>Report: crypto industry losses from hacks in 2022 <a href=\"https:\/\/u1f987.com\/en\/news\/report-crypto-industry-losses-from-hacks-in-2022-rise-to-3-6-billion\">rose to $3.6B<\/a>.<\/li>\n<li>Brother of Helix founder pleaded guilty <a href=\"https:\/\/u1f987.com\/en\/news\/brother-of-helix-founder-pleads-guilty-to-stealing-over-712-btc-seized-by-the-u-s\">to stealing 712 BTC<\/a>.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>What to read this weekend?<\/strong><\/h2>\n<p>Read about DeFi hacks and scams in 2022 in <a href=\"https:\/\/u1f987.com\/en\/news\/2022-in-review-how-the-defi-sector-fared-amid-the-terra-and-ftx-crashes\">ForkLog&#8217;s end\u2011of\u2011year piece<\/a>.<\/p>\n<p>Follow ForkLog&#8217;s bitcoin news in our <a href=\"https:\/\/telegram.me\/forklog\" target=\"_blank\" rel=\"nofollow noopener\">Telegram<\/a> \u2014 cryptocurrency news, prices and analysis.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have gathered the week&#8217;s top cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":72529,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-72528","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"34","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/72528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=72528"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/72528\/revisions"}],"predecessor-version":[{"id":72530,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/72528\/revisions\/72530"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/72529"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=72528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=72528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=72528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}