A study has been published claiming that Telega, an alternative Telegram client, contains changes that allow for a MITM attack and disables key elements of Telegram’s cryptographic protection. The Telega client uses the code of the original Telegram Android client, distributed under the GPLv2 license, but does not disclose the changes made, contrary to the requirements of the license.
The conclusion about the possibility of intercepting user traffic is made on the basis of several technical findings identified after decompiling the APK package, analyzing libraries and studying network calls:
- The Telega client redirects traffic through its own infrastructure: at startup, it accesses the address api.telega.info/v1/dc‑proxy and receives a JSON list of “data centers”, which are substituted instead of the official Telegram addresses. This behavior can be explained by an attempt to bypass blocking of direct access to Telegram servers. When using official Telegram public keys, proxies can only redirect encrypted traffic to Telegram servers, but cannot access the content without having the private keys used on official Telegram servers.
- An additional RSA public key was found in the assembly, which is not present in official Telegram clients. When establishing encrypted sessions with its servers, Telega can use its own public key, for which the paired private key is known.
- Address spoofing in combination with the use of its own public key makes it possible to carry out a MITM attack, allowing access to all incoming and outgoing messages in the chat, viewing the history of correspondence, replacing message contents, and performing actions on the user account without their participation.
- PFS (Perfect Forward Secrecy) mechanisms and support for secret E2E chats in the client are either disabled by default or controlled by a remote configuration accessible through the same dc-proxy (the client ignores secret chats and hides UI elements for creating them).
- Remote filters/blacklists have been identified in the code, allowing the hiding of channels, profiles, and chats on the client side at the discretion of the server through requests to api.telega.info/v1/api/blacklist/filter.
Telega is positioned as a “Telegram client created on the basis of the open source messenger code” that can be used without a VPN, and
/Reports, release notes, official announcements.