The Trojan in the Play Store: How the Telega Client Became a Multi-Million Installation MITM Trap

On March 18, 2026, the architects behind the Telega application—a third-party Telegram client—activated a clandestine mechanism designed to route the entirety of the traffic flowing between the application and Telegram’s servers through their proprietary infrastructure, according to a technical forensic analysis promulgated on dontusetelega.lol.

As elucidated by the investigation, this machination unfolds in two distinct phases. Initially, the application petitions the api.telega.info server, procuring a ledger of IP addresses specifically engineered to supplant the authentic coordinates of Telegram’s data centers. These counterfeit addresses invariably trace back to the autonomous system AS203502, formally registered to JSC “Telega” in November 2025. According to the forensic vanguard, the sole upstream purveyor for this autonomous system is AS47764 LLC VK (Mail.ru)—a revelation that, the authors posit, circumstantially albeit strongly, intimates a clandestine nexus between Telega and VK.

The secondary facet of this artifice involves the surreptitious substitution of the cryptographic key. Upon meticulously decompiling the application’s native library, the analysts unearthed four public RSA keys, standing in stark contrast to the mere three immutably embedded within the orthodox Telegram client. This auxiliary key is readily embraced by Telega’s servers, yet summarily forsaken by Telegram’s authentic infrastructure. The investigation underscores that the tandem substitution of addresses and cryptographic keys facilitates a quintessential Man-in-the-Middle (MITM) siege: Telega’s servers negotiate a singular cryptographic key with the patron’s client, and a disparate one with the genuine Telegram server, thereby seizing unmitigated, plaintext access to the entirety of the intervening traffic.

Furthermore, the researchers delineated a mechanism designed to forcibly sever the user’s active session. Upon receiving a directive from the Telega server—be it via an obfuscated push notification, a hyperlink, or a promotional banner—the application ruthlessly eradicates the cryptographic key of the contemporary session, subsequently instigating a mandatory re-authorization. This maneuver is absolutely requisite to compel a nascent cryptographic handshake, this time routed inextricably through the counterfeit servers. The aforementioned banner, as betrayed by the underlying code, deceitfully entreats the user to “re-authenticate within the application to expedite the connection.”

Moreover, the architects of the analysis illuminate that Telega conspicuously disables the Perfect Forward Secrecy (PFS) protocol by default—a safeguard that remains perpetually vigilant within orthodox Telegram clients. PFS orchestrates the ephemeral, periodic rotation of cryptographic keys, thereby ensuring that even should the contemporary key suffer compromise, the sanctity of historical correspondence remains inviolable. Within the Telega architecture, the disposition of this critical flag is subjugated to the server’s whims via that selfsame endpoint, and its default posture is one of perilous dormancy.

The sanctuaries of end-to-end encrypted secret chats are likewise paralyzed by default. According to the forensic dossier, the application is spoon-fed an enable_sc flag, maliciously calibrated to false, via Firebase Remote Config. Consequently, any incoming entreaties to forge a secret chat are summarily ignored, and the very apparatus to initiate them is cloaked from view. The patron remains blissfully oblivious to any endeavors to reach them through these clandestine channels.

Beyond the insidious MITM machinations, a draconian system of “blacklists” was unearthed festering within the application. Upon petitioning the Telega server, the software meticulously verifies whether a specific channel, patron, conclave, or bot has been condemned to this proscribed registry. Should they be found wanting, their content is ruthlessly eclipsed by a sterile placeholder proclaiming: “This [chat/channel/bot] is inaccessible due to transgressions against the platform’s edicts.” The researchers astutely observe that this precise vernacular is masterfully crafted to conjure the illusion that the interdiction originates from the sovereign authority of Telegram, rather than the clandestine whims of Telega.

On the very epoch this MITM functionality was ignited, vigilant patrons serendipitously stumbled upon the demonstrative facades of two internal moderation tribunals nestled within the subdomains of telega.info. The primordial tribunal, christened Zeus, manifested as a ticketing architecture dedicated to adjudicating petitions for content obliteration. Curiously, within the tribunal’s experimental data, the provenance of these petitions was frequently ascribed to the address stream@rkn.gov.ru, accompanied by the ominous hallmark “RKN.” The secondary tribunal, designated Cerberus, was engineered for the kinetic, real-time moderation of missives, boasting AI-driven transgression classification intertwined with the capacity for autonomous expurgation and banishment. The forensic authors prudently caveat that the active deployment of these instruments within a live environment remains unverified, as their rudimentary craftsmanship “invites skepticism” and the facades may merely represent embryonic prototypes.

Telega audaciously postures itself as an impenetrable sanctuary, an open-source Telegram client promising unwavering connectivity utterly bereft of the need for a VPN. The application’s digital storefront upon Google Play solemnly pledges that “the absolute totality of missives and telemetry is cryptographically sealed and processed solely within the sovereign domain of Telegram,” and that its architects “possess zero ingress to the sanctity of chats and vocal transmissions.” Staggeringly, this application has ensnared an audience exceeding one million installations within the Google Play bazaar.