Telegram is a messaging application that’s remarkable for its uncompromising end-to-end encryption. Telegram offers its own clients for Android, iOS, PC, Mac, and Linux platforms.
Unfortunately, scammers have set up a few fake websites that impersonate Telegram and offer malware disguised as a Telegram client. These fake websites use deceptive advertisements to spread. The malware that they offer appears to be password-stealing spyware.
Malicious actors abuse Telegram’s name to deliver this malware. It’s important to underline that Telegram is absolutely safe – you just have to make sure that you’re downloading the official application. I’ll be calling this malware Telegramdesktop virus or Telegramdesktop malware.
Telegramdesktop Virus quicklinks
- How the Telegramdesktop virus works
- Malicious sites impersonate the official Telegram website
- Fake Telegram installers are downloaded
- The Telegramdesktop virus installs spyware
- How to avoid Telegramdesktop malware
- Automatic Malware removal tools
- How to remove Telegramdesktop Virus using Windows Control Panel
About Telegramdesktop virus:
|How Telegramdesktop malware spreads||Websites are created to spoof Telegram,
these websites are advertised online,
they download malware disguised as the Telegram PC client.
|Dangers posed by the malware||It steals passwords and other data from infected computers.|
|How to avoid Telegramdesktop malware||Protect your device with antivirus programs (Spyhunter, Malwarebytes, others),
block malicious ads and websites.
How the Telegramdesktop virus works
Malicious sites impersonate the official Telegram website
While looking into this, I discovered that professional malware researchers have already looked into this malvertising campaign, so go check them out for some in-depth analysis.
In short, there are some websites out there, including Telegramdesktop.org, Telegramdesktop.net, and Telegramdesktop.com (the latter has already been blacklisted by Google and is flagged by multiple antivirus scanners – Virustotal.com), that distribute a malicious file disguised as the Telegram Desktop client for Windows.
The Telegramdesktop sites were advertised in search engines such as Google.com. Malicious actors promoted the sites for users who searched for a Telegram desktop client. The ads for Telegramdesktop malware used phrases like “Official App” to push their fake Telegram client.
Fake Telegram installers are downloaded
Telegram’s real website is Telegram.org. The site to download Telegram clients from is Desktop.telegram.org.
The fake Telegramdesktop sites look just like Desktop.telegram.org. They also link to Telegram.org in their menus and contacts.
But one of the links is different – the button to “Get Telegram for Windows”. Instead of downloading the real Telegram client, it downloads a malicious file (named “TelegramInstaller.exe”, “TGInstaller.exe”, “TelegramInstaller-1.exe”, and similar) from Bitbucket.
Bitbucket is a legitimate software development and collaboration site. Unfortunately, some malicious actors abuse it to spread malware. Bitbucket removes malicious files as best it can.
The Telegramdesktop virus installs spyware
According to the analysis that I linked above, the Telegramdesktop virus is spyware. Once downloaded, it steals files and passwords saved in your browser and other online apps (such as VPN clients).
It also tries to get around antivirus programs, sets scheduled tasks to start on its own, and uses names that include the words “Microsoft” and “Chromium” to disguise itself.
Luckily, antivirus apps are able to detect this malware for what it is. Telegramdesktop malware gets labels like Trojan, Malware, and Malicious – Virustotal.com.
How to avoid Telegramdesktop malware
Here are some things you can do to protect yourself from the Telegramdesktop virus and similar malware:
- Use ad blockers, malicious site blockers, and anti-malware tools to block dangerous websites.
- Always go to the official website to download Telegram and other software.
- Scan the files you download with antivirus programs. Use an antivirus tool that offers real-time protection.
Know that the Telegramdesktop websites are not dangerous on their own. If you visited them but didn’t download anything, you’re probably fine (though, checking wouldn’t hurt). Downloading the files that the Telegramdesktop sites offer is what can result in your computer getting infected with spyware.
If you discover that Telegramdesktop malware did infect your computer with spyware, then remember to change your passwords. Once the spyware is removed, reset your passwords and make sure that you use 2-factor authentication wherever possible. This way, you can prevent your login data from being used to steal your accounts.
Automatic Malware removal tools
How to remove Telegramdesktop Virus using Windows Control PanelMany hijackers and adware like Telegram Desktop Virus install some of their components as regular Windows programs as well as additional software. This part of malware can be uninstalled from the Control Panel. To access it, do the following.
- Start→Control Panel (older Windows) or press Windows Key→Search and enter Control Panel and then press Enter (Windows 8, Windows 10).
- Choose Uninstall Program (if you don't see it, click in the upper right next to "View by" and select Category).
- Go through the list of programs and select entries related to Telegramdesktop Virus . You can click on "Name" or "Installed On" to reorder your programs and make Telegram Desktop Virus easier to find.
- Click the Uninstall button. If you're asked if you really want to remove the program, click Yes.
- In many cases anti-malware programs are better at detecting related parasites, thus I recommend installing Spyhunter to identify other programs that might be a part of this infection.