需要顺便说一句的是,源代码里的 TrustedBot 除了上文的 @nekonotificationbot(1190800416)外,还同时出现了 @WatchdogNextBot (6371744499),供参考。
为验证这一点,我们制作了一个PoC:一个LSPosed模块,将机器人ID和用户名替换为我们自己的信息,这样所有请求都会发送到我们的服务器上。通过这种方式,我们确认电话号码确实在被收集。每次登录都会如此。
该PoC可在此处获取: https://github.com/RomashkaTea/nekogram-proof-of-logging
https://t.me/EvolutionXOfficial/2488
该PoC可在此处获取: https://github.com/RomashkaTea/nekogram-proof-of-logging
https://t.me/EvolutionXOfficial/2488
GitHub
GitHub - RomashkaTea/nekogram-proof-of-logging: A proof of Nekogram sending phone numbers to the developer
A proof of Nekogram sending phone numbers to the developer - RomashkaTea/nekogram-proof-of-logging
According to SOTA,
"The backdoor is hidden in the http://Extra.java file, which differs from the template uploaded to the repository. The obfuscated code sends data as an inline request to the @nekonotificationbot, leaving no trace. The same file implements account 'doxing' via several bots; it is possible that the leaked data is used to populate their databases."
Additionally, the creator of the Nekogram client, (presumably a Chinese national) was previously known for conducting DDoS attacks and unethical online behavior (including death threats against acquaintances).
Apparently, in the early versions of the client, de-anonymization was applied only to Chinese phone numbers, which could have been used for political surveillance;. However, it is now applied to all users.
Follow @TechLeaksZone
