cross-posted from: https://piefed.world/c/tech/p/1146502/telegram-apk-from-apkpure-is-a-spyware
On analyzing the APK with jadx, it contains a class DataCollector, which does not exist in the .apk file downloaded from the official Telegram website.
This class collects a lot of your data, including:
- Your photos, videos, and files
- Your contacts
- Your messages
- Your GPS Coordinates
- Your SIM card information
- Your Telegram profile
This data is monitored and uploaded continuously. All the data is uploaded to a server with IP Address 38.190.225.166
💬 Initial discovery by Eric Parker
maybe there were before, but now something has changed, I would recommend looking at alternatives to this site, for example in fmhy(.)net or in alternative net, but I would download the application from official sources, like the play market or open source programs in f-droid
I know that APKMirror supposedly verifies the APK files’ hashes against official sources, so APKs you get there should be fine, unless the developer was compromised at some point, or unless APKMirror itself is lying, but it is run by the people behind Android Police, as far as I know.