Third-Party Telegram Apps Caught Exfiltrating User Phone Numbers

A recent exposé has revealed that third-party Telegram client applications, notably Nekogram and Cherrygram, have been actively collecting users’ phone numbers. The developer behind Nekogram, identified as a Chinese national with a history of unethical online activities including DDoS attacks, has tacitly admitted to the data collection, offering no substantial defense. This practice appears to involve building a database of phone numbers, potentially for sale to OSINT services. Alarmingly, the version of Nekogram available for download differs from its GitHub repository, with compiled versions containing the malicious functionality.

The method of data exfiltration is particularly insidious. Instead of overt suspicious network traffic, Nekogram leverages Telegram’s inline query feature to communicate with the developer’s bot. Because inline queries do not typically retain a history, this covert channel avoids leaving obvious traces in user activity logs. This technique highlights a critical vulnerability where the perceived security of an open-source project can be undermined by the compiled binaries distributed to users.

The revelations extend to Cherrygram, which appears to have recently removed similar spyware functionality following the exposure. The responses from the Cherrygram developer, including attempts at damage control, further underscore the gravity of these findings. These incidents serve as a stark reminder that relying on unofficial client applications, even those claiming open-source origins, introduces significant risks. The discrepancy between code repositories and distributed binaries poses a persistent challenge for user security.