cross-posted from: https://piefed.world/c/tech/p/1146502/telegram-apk-from-apkpure-is-a-spyware
On analyzing the APK with jadx, it contains a class DataCollector, which does not exist in the .apk file downloaded from the official Telegram website.
This class collects a lot of your data, including:
- Your photos, videos, and files
- Your contacts
- Your messages
- Your GPS Coordinates
- Your SIM card information
- Your Telegram profile
This data is monitored and uploaded continuously. All the data is uploaded to a server with IP Address 38.190.225.166
💬 Initial discovery by Eric Parker
This is why it really sucks that app developers offering their APKs directly isn’t more common, forces people to turn to sites like this. I’ve installed apps from apkmirror just because I want to avoid Google Play. I don’t really understand why there isn’t some third party app store that helps lift the hosting+verification burden from developers but still doesn’t rely on randos uploading apks from gplay.
What a great world it would be if every time you went to some software’s website with an app, they had that “download from google play” button right next to a “download from <this other legit Store>” button so you know its their real account, and a “download apk” button, because why not put some faith in users?
this is literally exactly why f-droid exists
https://f-droid.org/fr/packages/com.aurora.store/
I did just upvote you but i’m also leaving a comment because that’s how happy i am with Aurora Store doing the hard work