Analysis by PMOI/MEK
April 26, 2019 - Starting Thursday Google has been warning users about two Iran-made apps by the names of Telegram Gold and Hotgram, advising people not to install these applications that contain spyware capabilities. Google is suggesting users uninstall these applications from their devices and a growing number of people in Iran are becoming aware of the threats posed in these apps that are affiliated directly to the Revolutionary Guards (IRGC).
These two apps have been launched by the IRGC with the intention to steal users’ personal information. Prior to this, Telegram had warned users about the dangers of using Telegram Gold and Hotgram, emphasizing their company takes no responsibility about the personal data of users who use these two apps.
Reports reveal how the Iranian regime has been using malicious apps to spy on users’ smartphones. The subject was issued in one of the most recent publications of the Paris-based National Council of Resistance of Iran (NCRI), widely held as the most influential Iranian opposition party.
In the report, NCRI exposes the attempts of government-backed hackers to develop apps designed to feed information on users’ devices back to central servers. This practice on the part of the regime was originally identified by researchers of the US branch of NCRI. The evidence was compiled into a paper titled “Iran Cyber Repression: How the IRGC Uses Cyberwarfare to Preserve the Theocracy” and was released in February. As a result, Google was able to identify at least one application on Google Play engineered by Iranian programmers. That app, called “Telegram Black,” has been removed from Google Play and the developer banned from offering additional apps on the site. Unfortunately, this incident is really just the tip of the iceberg.
Producing publicly available apps loaded with malware is and has been a broad-based strategy of the Iranian regime for quite some time. The regime has created close to 100 spyware apps, including Mobogram, Telegram Farsi, Hotgram, Wispi, and Telegram Talayi, all designed to resemble popular apps. These programs have already been unwittingly downloaded by hundreds of Iranian citizens.
The appearance of Telegram Black shows the risk these programs pose to international users as well. According to Alireza Jafarzadeh, the deputy director of the NCRI-US, the Iranian security apparatus contains “a unit called the Intelligence Organization, a specific department allocated to cyberwarfare. This is the department that deals with the cyberwarfare against the Western countries [and] against its own population.”
In some ways, these reports are old news.
Iran has been using the internet to suppress its own citizens forever. This practice has been on the uptick ever since the recent protest movement began in Iran last December.
What is important to note about this story are two very important points in regards to US national security, both to the threat posed by Iran specifically, as well as the broader cyber integrity of the United States as a whole.
Iran is expanding its cyberwarfare tactics to an international scale. In fact, there is much evidence to suggest that one of the main motivations of the regime to implement cyber repression on the Iranian people is to test the efficiency of various tactics and then export them to enemy countries.
“The Iranian regime is currently hard at work to test the success of these apps on the people of Iran first,” said Jafarzadeh. “If not confronted, its next victims will be the people of other nations.”
Speaking to the Senate Select Committee on Intelligence almost two weeks ago, Director of National Intelligence Dan Coats voiced a similar sentiment. “Iran will try to penetrate US and allied networks for espionage and lay the groundwork for future cyberattacks,” said Coats in his statement.
All of this confirms the theory posed by several experts over the past months that Iran will resort to the cyber realm to target its adversaries. This applies to both direct cyberattack as well as intelligence-gathering operations. Iran has a strong track record on this already.
In late 2017, for instance, British intelligence officials reported that a series of hacks in June 2017 that targeted several Parliament members, including Prime Minister Theresa May, was executed by cybercriminals connected to the Iranian government. The hacks affected some 9,000 accounts and exposed approximately 100 sensitive communications. While Iran may not be the most advanced in cyber capabilities, the country has proven itself capable enough to execute substantial operations.
The second takeaway from these reports is the implication for cyber integrity of the civilian realm. Much talk has been generated about threats to domestic information systems in the United States ever since reports by American intelligence agencies came out back in October, warning of the exposure of “critical infrastructure” to “state actor” attacks. The importance of this warning and others that followed was underscoring the vulnerability of the private sphere in general as the most likely cyber target of America’s enemies. Planting malware in publicly accessible app venues could prove to be one of the most effective routes to target the West in the digital sphere.
Until now, Iran’s 80-million-strong population has been a testing ground to determine the most successful methods for cyber intrusion and attack. The evidence shows the method adopted by the regime to create malicious apps disguised as legitimate. It is no surprise that this same tactic is now being used to target international users. The aforementioned NCRI report lists a handful of supposedly problematic apps that are available outside of Iran. The list includes Mobogram, Telegram Farsi, and Telegram Black. U.S. media has reported that most, if not all, are indeed still available for download.
Noteworthy in these reports is that the specific tactic being used by Iran-backed programmers to disseminate their malicious apps has been producing “forks,” or unofficial copies of other officially licensed programs. Using this method will likely lead Iran to produce replicas of the most popular applications in the US in the hopes that users will take the bait.
Iran’ attempts to hide viruses in popular applications smacks of the growing concern revolving around the so-called “supply chain hack,” namely the danger of devices and programs becoming infected with malware at some point before reaching the consumer. This threat has become increasingly more central in the world of IT security over the past several years. This danger has prompted a new level of awareness to ensure the digital products Americans use, either devices or programs, are secure from the point of manufacture to the point of delivery.
Luckily, the work of private activism in tandem with industry leaders was able to expose and at least partially neutralize the threat posed by Iran’s latest attempts to target international users. At the very least, this revelation will serve as a wake-up for both private and government organizations about the need to stay vigilant in combating Iran’s activities in the cybersphere.