Back to Home

Telega spoofs Telegram servers: tech breakdown

Technical audit of Telega revealed spoofing of Telegram DC to operator's servers, auth_key capture and secret chats compromise. Photos are recoded, telemetry collects bytes by content types. Public code does not match APK.

Telega breakdown: how the client steals Telegram sessions
Advertisement 728x90

Telega Exposed: Server Spoofing and Telegram Session Hijacking Breakdown

The Telega alternative client reroutes traffic from Telegram's official servers to its own infrastructure in Kazan (AS203502, subnet 130.49.152.0/24). On first launch, the app fetches a config via HTTPS from api.telega.info/v1/dc-proxy and gets a JSON list of 25 IP addresses masquerading as Telegram data centers.

{
  "dc_version": 2,
  "dcs": [
    {"id":1, "addresses":[
      {"host":"130.49.152.50","port":443},
      {"host":"130.49.152.20","port":443}
    ]}
  ]
}

All addresses belong to Telega's operator. Trust is established via an injected RSA key (fingerprint 0x2c945714333b5ebd) in the libtmessages.49.so library, missing from official Telegram. Servers sign the MTProto handshake with this key, and the client accepts the connection.

The operator generates an auth_key—your account access key. This creates an unauthorized session in the official Telegram app.

Google AdInline article slot

Live Test: Confirming the Man-in-the-Middle Attack

On an Android 14 emulator with a test account, after onboarding in Telega, a new session appeared in the official client:

  • System Version: iOS SDK 34 (fake, blending iOS + Android API level).
  • Location: Russia (based on server IP, ignoring fake GPS in Helsinki).
  • IP Address: No data.
  • Secret Chats: Accept.

Anyone can verify: Settings → Devices → Active Sessions. The "iOS SDK 34" session points straight to Telega.

Secret Chats and Media Compromised

The operator's session has "Secret Chats: Accept" enabled. When starting a secret chat, the operator's server becomes the E2EE endpoint, getting your plaintext messages.

Google AdInline article slot

Gallery photos (not files) get re-encoded:

  • Sending a file: SHA-256 stays the same.
  • Sending a photo: SHA-256 changes, size drops from 2539 to 2298 bytes, different JPEG library.

The server decodes, processes, and re-encodes the image—seeing it in plain view.

Secret chats are also blocked: Firebase Remote Config sets enable_sc: false. Telegram calls are hard-disabled in code (isTelegramCallFallbackEnabled() = false).

Google AdInline article slot

Telemetry and Censorship

Telega sends daily stats to stats.telega.info:

POST /v1/network/usage
{
  "items": [
    {"content_type":"message", "wifi":{"incoming":3096242, "outgoing":870670}},
    {"content_type":"video", "wifi":{"incoming":8766576, "outgoing":0}}
  ]
}

Data on content types (bytes in/out via WiFi/mobile), tied to user ID via PASETO v4.local.

Censorship mechanism (ru.dahl.messenger.moderation):

  • Firebase enables moderation_enabled.
  • Client pulls Mlist from api.hub.telega.info (user_id, channel_id).
  • Messages get hidden locally.

Code Analysis and Sandboxing

Public GitHub (Telegru/Telegram-Android) is clean upstream—no DC spoofing or RSA key injection. The APK (ru.dahl.messenger) packs private mods.

Tria.ge sandbox for APK SHA-256 efb7a89496e11af0bd8516a7a571a723a393be62feaf542810f999200ffcbe9c: 8/10 threats.

MITRE ATT&CK signatures:

  • T1426: root detection (8).
  • T1407: dynamic DEX/JAR loading (7).
  • T1424: process enumeration (7).
  • T1421: network reconnaissance (6).
  • T1422: operator data access (6).

Extras: double AppMetrica, PII to /v1/api/account, auto-sub to @telegaru, calls via VK.

Key Takeaways

  • Telega swaps Telegram DCs for its own servers, grabbing auth_keys and peeking at plaintext media.
  • Sessions fake "iOS SDK 34"—easy to spot in Telegram settings.
  • Secret chats blocked and MitM'd.
  • Telemetry and censorship controlled server-side, no APK updates needed.
  • Public code doesn't match the binary.

— Editorial Team

Advertisement 728x90

Read Next