The Daily Psyop

Where Skepticism Meets Insight

News

This isn’t a leak, but… – Mystic Leaks

ย This isn’t a leak, but…

BREAKING: Nekogram is secretly sending your phone numbers to the developer

The backdoor is hidden in the http://Extra.java
file, which differs from the template uploaded to the repository. The obfuscated code sends data as an inline request to the @nekonotificationbot, leaving no trace.

More info about the backdoor:
https://github.com/Nekogram/Nekogram/issues/336 (locked by Nekogram devs)

To validate this, we made a PoC:
an LSPosed module that replaces the bot ID and username to ours so all requests are going to it. That way, we confirmed that the phone numbers are being collected. Every. Login.

The PoC is available here
: https://github.com/RomashkaTea/nekogram-proof-of-logging

What should you do?

1. Report the app on Play Store: https://play.google.com/store/apps/details?id=tw.nekomimi.nekogram
2. Report the repository on GitHub: https://github.com/Nekogram/Nekogram
3. Delete the app and stop using unofficial Telegram clients


READ FULL ARTICLE: This article originally appeared on Mystic Leaks

TheMcgwire

Found of The Daily Psyop. Passionate about Foreign Policy. Have been actively involved in Independent Media since 2019.

Leave a Reply

Your email address will not be published. Required fields are marked *