Obfuscated code has been discovered in the unofficial Telegram client Nekogram. It secretly sends phone numbers of users logged into the app to the bot "@nekonotificationbot," linked to the user ID. The change to collect phone numbers is only present in the completed APK packages distributed via Google Play, GitHub, and the project's Telegram channel. The change to collect phone numbers is missing from the source code on GitHub and the APK package from the F Droid directory.
The backdoor was present in the Extra.java file. It was presumably sent starting with Nekogram version 11.2.3, initially only to users with Chinese phone numbers, and then to everyone. The program also used the osint bots "@tgdb_search_bot" and "@usinfobot" to identify users by their IDs, but phone numbers were not sent to them. 
Researchers have developed a Java hook and bot that allow any user to verify that their application instance is sending phone numbers. 
According to the researchers who uncovered the issue, the program's authors may have used the information they received to build a database for subsequent sale to OSINT bot creators. The obfuscation of the modification and the use of inline requests to send data indicate intentional concealment of this activity. After the issue was disclosed in the project's bug tracking system, the author of Nekogram admitted sending phone numbers to his bot, without explaining the reason for this activity, but noted that the phone numbers sent were not saved or shared with anyone.
Additionally, a vulnerability has been identified in the official Telegram app. The Zero Day Initiative (ZDI), a project offering cash rewards for reporting unpatched vulnerabilities, has published preliminary data on vulnerability ZDI-CAN-30207 in Telegram, which has been assigned a critical severity level (9.8 out of 10) and identified as a remote attack requiring no user action. Details are scheduled to be released on July 24, giving Telegram developers time to deploy a fix to users.
Separately, information has emerged that the vulnerability manifests itself when opening specially designed animated stickers in Telegram and can lead to the execution of malicious code without any user action. Apparently, the vulnerability is caused by an error in the rlottie library code, which enables the preview function.
Telegram representatives stated that they do not consider the identified problem to be a dangerous vulnerability, as all uploaded stickers are pre-checked for серверах Telegram and such a check would have prevented the malicious sticker from being displayed to users. Following Telegram's announcement, the vulnerability's severity level was lowered from 9.8 to 7.0.
Source: opennet.ru
