This isn’t a leak, but… – Mystic Leaks
ย This isn’t a leak, but…
BREAKING: Nekogram is secretly sending your phone numbers to the developer
The backdoor is hidden in the http://Extra.java
file, which differs from the template uploaded to the repository. The obfuscated code sends data as an inline request to the @nekonotificationbot, leaving no trace.
More info about the backdoor: https://github.com/Nekogram/Nekogram/issues/336 (locked by Nekogram devs)
To validate this, we made a PoC: an LSPosed module that replaces the bot ID and username to ours so all requests are going to it. That way, we confirmed that the phone numbers are being collected. Every. Login.
The PoC is available here: https://github.com/RomashkaTea/nekogram-proof-of-logging
What should you do?
1. Report the app on Play Store: https://play.google.com/store/apps/details?id=tw.nekomimi.nekogram
2. Report the repository on GitHub: https://github.com/Nekogram/Nekogram
3. Delete the app and stop using unofficial Telegram clients
READ FULL ARTICLE: This article originally appeared on Mystic Leaks
