this post was submitted on 03 Apr 2026
66 points (100.0% liked)

Opensource

5898 readers
37 users here now

A community for discussion about open source software! Ask questions, share knowledge, share news, or post interesting stuff related to it!

CreditsIcon base by Lorc under CC BY 3.0 with modifications to add a gradient


founded 2 years ago
MODERATORS
pylapp@programming.dev
66
Spyware distributed using modified code in Nekogram release. Dev closes issue without response. (github.com)
submitted 4 days ago by artyom@piefed.social to c/opensource@programming.dev
11 comments fedilink hide all child comments
 

This is why we install from FDroid.

top 11 comments
sorted by: hot top controversial new old
[–] Staff@piefed.world 1 points 1 day ago

I use Forkgram but it acts a little weird sometimes. First it shouts empty notifications randomly, usually 2 back to back. When I open Firefox somehow Forkgram opens a notification too. It doesn't happen every time but still it's weird. Anyone with similar behaviors on that app?

[–] Pika@sh.itjust.works 5 points 2 days ago

PSA on anyone who used this. Terminate your session via active sessions on another telegram app after you "log out"

This app ALSO doesn't properly invalidate your session token like most apps do, so even though it "logs out" on the UI, the auth token to the telegram stays active.

While there hasen't been any evidence that it transmits auth tokens, since it was confirmed AND admitted that they logged phone numbers, it's better to be safe than sorry.

[–] lemmysmash@beehaw.org 2 points 3 days ago

Being honest, I would be surprised if there wasn't malware there. The whole Telegram platform is kind of a nesting ground for it.

[–] inari@piefed.zip 9 points 4 days ago (1 children)

Would an F-Droid release have found this issue? 

[–] artyom@piefed.social 15 points 4 days ago (1 children)

No but it would have avoided it since its compiled from source.

[–] inari@piefed.zip 20 points 4 days ago

Yeah... one of the criticisms levied at F-Droid is that you need to trust them over the app developers but as we can see in cases like this, I think that's a feature, not a bug.

It's one reason I'll never use something like Obtainium for instance.

[–] CumbrianCucumber@lemmy.world 2 points 3 days ago

Hasn't Telegram being Russian spyware been known for years now?

[–] Kissaki@programming.dev 2 points 3 days ago* (last edited 3 days ago)

So, assuming good faith, they used two Telegram bots for some service functionality

these two bots are used to resolve username from user id, eg tg://user?id=25

Obviously, that should never happen silently. But these findings don't necessarily mean data has been compromised [beyond the scope of the app itself].

I get they may be very frustrated and annoyed at the negative blowback after their FOSS efforts, but dismissing concerns isn't a good way to respond.

[–] Pika@sh.itjust.works 4 points 3 days ago* (last edited 3 days ago)

Well shoot. That was a good messenger too.

Edit: Looking into it. It looks like the dev even admitted to it as well. So that's surprising.

Link may require telegram