Telega Exposed: Server Spoofing and Telegram Session Hijacking Breakdown
The Telega alternative client reroutes traffic from Telegram's official servers to its own infrastructure in Kazan (AS203502, subnet 130.49.152.0/24). On first launch, the app fetches a config via HTTPS from api.telega.info/v1/dc-proxy and gets a JSON list of 25 IP addresses masquerading as Telegram data centers.
{
"dc_version": 2,
"dcs": [
{"id":1, "addresses":[
{"host":"130.49.152.50","port":443},
{"host":"130.49.152.20","port":443}
]}
]
}
All addresses belong to Telega's operator. Trust is established via an injected RSA key (fingerprint 0x2c945714333b5ebd) in the libtmessages.49.so library, missing from official Telegram. Servers sign the MTProto handshake with this key, and the client accepts the connection.
The operator generates an auth_key—your account access key. This creates an unauthorized session in the official Telegram app.
Live Test: Confirming the Man-in-the-Middle Attack
On an Android 14 emulator with a test account, after onboarding in Telega, a new session appeared in the official client:
- System Version: iOS SDK 34 (fake, blending iOS + Android API level).
- Location: Russia (based on server IP, ignoring fake GPS in Helsinki).
- IP Address: No data.
- Secret Chats: Accept.
Anyone can verify: Settings → Devices → Active Sessions. The "iOS SDK 34" session points straight to Telega.
Secret Chats and Media Compromised
The operator's session has "Secret Chats: Accept" enabled. When starting a secret chat, the operator's server becomes the E2EE endpoint, getting your plaintext messages.
Gallery photos (not files) get re-encoded:
- Sending a file: SHA-256 stays the same.
- Sending a photo: SHA-256 changes, size drops from 2539 to 2298 bytes, different JPEG library.
The server decodes, processes, and re-encodes the image—seeing it in plain view.
Secret chats are also blocked: Firebase Remote Config sets enable_sc: false. Telegram calls are hard-disabled in code (isTelegramCallFallbackEnabled() = false).
Telemetry and Censorship
Telega sends daily stats to stats.telega.info:
POST /v1/network/usage
{
"items": [
{"content_type":"message", "wifi":{"incoming":3096242, "outgoing":870670}},
{"content_type":"video", "wifi":{"incoming":8766576, "outgoing":0}}
]
}
Data on content types (bytes in/out via WiFi/mobile), tied to user ID via PASETO v4.local.
Censorship mechanism (ru.dahl.messenger.moderation):
- Firebase enables moderation_enabled.
- Client pulls Mlist from api.hub.telega.info (user_id, channel_id).
- Messages get hidden locally.
Code Analysis and Sandboxing
Public GitHub (Telegru/Telegram-Android) is clean upstream—no DC spoofing or RSA key injection. The APK (ru.dahl.messenger) packs private mods.
Tria.ge sandbox for APK SHA-256 efb7a89496e11af0bd8516a7a571a723a393be62feaf542810f999200ffcbe9c: 8/10 threats.
MITRE ATT&CK signatures:
- T1426: root detection (8).
- T1407: dynamic DEX/JAR loading (7).
- T1424: process enumeration (7).
- T1421: network reconnaissance (6).
- T1422: operator data access (6).
Extras: double AppMetrica, PII to /v1/api/account, auto-sub to @telegaru, calls via VK.
Key Takeaways
- Telega swaps Telegram DCs for its own servers, grabbing auth_keys and peeking at plaintext media.
- Sessions fake "iOS SDK 34"—easy to spot in Telegram settings.
- Secret chats blocked and MitM'd.
- Telemetry and censorship controlled server-side, no APK updates needed.
- Public code doesn't match the binary.
— Editorial Team
No comments yet.