Hack Time, Habr!
The other day, I came across a high-profile investigation by Dmytro Tarasenko (aka iTaysonLab my own investigation is a continuation of his and does not replace it.).
He was the one who decompiled the APK of the new 'Telega' app, identified links to the VK and Catogram infrastructure, and published the details on the BruhCollective Telegram channel.
My colleagues uncovered many alarming facts, but as someone who loves to dig into the guts of applications, I wanted to go further, confirm their findings, and find what dynamic analysis missed.
I decided to conduct a full static analysis of the APK, deobfuscating the code to
create the most complete and technically supported picture possible.
What is really hiding behind the promises of an 'improved' Telegram?
Let's take a look.
Spoiler: it's not secure, not private, but it's damn interesting. Let's go!
Chapter 1: Tools at the Ready. The First Dissection
To start, the standard toolkit for any self-respecting reverse engineer:
apktool: for unpacking resources andAndroidManifest.xml.jadx: for decompiling DEX files into Java code.strings,nm,grepand a steady hand.
Unpacking our patient:
apktool d Telega-1.11.3-TG-12.0.1.apk jadx -d jadx_output Telega-1.11.3-TG-12.0.1.apk
The very first look at the decompiled code brought a slight smirk to my face.
Almost the entire application code, except for standard libraries, was run through R8 — the standard obfuscator for Android.
This wasn't just code compression, but a deliberate and total attempt to cover their tracks, turning the code into an unreadable mess of meaningless names. I'm not saying its presence is inappropriate, as it complies with messenger policies, but when 72% of the APK code is obfuscated.
The developers were clearly hiding something. Challenge accepted.
After several hours of working with deobfuscation utilities, I managed to restore about 92% of the original names, and only then did the picture begin to clear up.
Chapter 2: Big Brother from VK. Hello, myTracker!
The first thing I look for in any application is trackers. A simple search for the keyword tracker yielded more than 10,000 matches.
The main culprit turned out to be com.my.tracker.MyTracker — the official 'bug' from VK.
All the logic for working with it was neatly placed in a wrapper class ru.dahl.messenger.utils.Tracker.java.
Looking inside, I understood the scale of the tragedy. The application tracks almost everything:
The full authentication cycle: from entering a phone number (
auth_phone_submit) to a successful login (auth_success).Granting permissions: Of particular interest is
auth_call_log_permission_grant. Yes, they want to know if you've granted access to your call log.Proxy usage: Every action related to the proxy is sent to the server.
Linking to identity: To ensure the analytics are not anonymous, the user's ID is explicitly fed to the tracker:
MyTracker.setCustomUserId(id).
A parameter is kindly attached to every event vpn_enabled. They want to be sure they know everything about you, even if you try to hide it.
Chapter 3: The 'Free' Cheese. Dissecting the Proxy Mousetrap
Now for the main course. How does the 'secure' proxy work?
The API for getting the list of servers is located at https://api.telega.info/v1/auth/proxy.
Proxy settings are applied through the native library libtmessages.49.so and the C++ function ConnectionsManager::setProxySettings.
This means the proxy is configured at a low level, bypassing standard Android APIs, and all application traffic is routed through the service owners' servers.
There can be no talk of anonymity or security here.
Chapter 4: Calls via 'Odnoklassniki' and Other 'Surprises'
While we were conducting our research, our colleagues in the field were not idle either.
Special respect to the ex-Telegram developer Dmytro Tarasenko (iTaysonLab/vkryl) and the author of denis-19 on Habr, whose findings we were able to confirm and expand upon.
Calls via OK.ru: In the class
ru.dahl.messenger.Extrawe found a constant:public static final String CALLS_BASE_URL = "https://calls.okcdn.ru/";This is direct proof that VoIP calls in the application are routed through the servers of 'Odnoklassniki' (another VK Group asset).
Centralized authorization: In the code of
UserRepositorythe bot name is hardcoded@dahl_auth_bot.This confirms that a bot is used for authorization, which can collect user metadata at the time of login.
Hidden censorship: In the application's resources, we found a string:
"Материал недоступен в связи с нарушениями правил платформы"
This is a template for a blacklist mechanism that allows the owners to block any content at their discretion.
Chapter 5: The Cast of Characters and Inconsistencies
Colleagues also dug up the project's background. The founders are Fanis Sadykov and Alexander Smirnov, previously associated with the VK Group project Movika Studio. They themselves claim that they sold the startup to VK a year ago and are now simply 'using publicly available VK technologies on commercial terms'.
However, this statement does not stand up to scrutiny. Researchers point out that the endpoints used, such as dal.mvk.com are internal VK domains, not part of the public VK Cloud. This indicates a direct and deep integration, not just the use of a public API.
Chapter 6: Reconnaissance and 'Tilda'
Out of curiosity, we also took a look at their website telega.me. The wafw00f utility showed that the site is behind a firewall from DDoS-GUARD.
But the funniest part was revealed in the HTTP headers: x-tilda-server.
Their entire fancy website is a Tilda website builder!
It's like putting cart wheels on a sports car. It becomes clear why they didn't invest in the site — it's just a pretty storefront for a 'convenient Telegram-like experience like Max (which, as we know, gets reception even without a battery, heh..'
Epilogue: The Icing on the Cake — mt_click_id
The final touch was the parameter ?mt_click_id=... in the developer's website URL. Which is automatically assigned to everyone.
The prefix mt_ is the signature tag of MyTracker.
This is a click ID used for end-to-end user tracking throughout the entire funnel: Рекламный клик - Переход на сайт - Установка приложения.
This closes the surveillance loop and proves that the entire 'Telega' ecosystem is built around data collection.
Final Verdict
'Telega' is not just an alternative messenger.
Based on the analysis conducted, the application carries out large-scale collection of user data and interacts with the VK infrastructure.
Technical resources have revealed elements that allow for centralized restriction of access to content, which can be used to implement censorship mechanisms.
Privacy: Implemented to a very limited extent — the application collects a significant amount of information about user actions and transmits it to VK, linked to a unique ID.
Security: The free proxy used is centralized and fully controlled by the service owners, which does not guarantee the anonymity or security of the transmitted data.
Honesty: The developers' public statements about their independence from VK are not confirmed by the results of the technical investigation. Be attentive and critical of claims about the freeness and security of such solutions.Technical facts prevail over marketing claims.
That's all. Be vigilant and don't trust free cheese. The code doesn't lie.