Security researcher and reverse engineer Eric Parker issued an urgent warning on X on May 24: APKPure, a third-party Android app store, is distributing a maliciously modified version of Telegram 12.6.5. Reverse engineering revealed that this APK was re-signed and packaged; it contains a spy framework named DataCollector (comprising over 3,000 lines of code) embedded in classes3.dex. The framework has the C2 server address 38.190.225.166 hard-coded into it, along with multiple data exfiltration endpoints such as /api/collect, /api/collect_batch, and /api/image. It can steal all chat history, contacts, phone photo galleries, documents, GPS location data, and SIM card information, with all data encrypted via AES-GCM prior to upload. Meanwhile, developers have also noticed that the official Telegram APK distributed via APKPure has an incorrect signature, while the package name for Telegram X shows irregularities. Currently, only the web version remains functional, though it is not the latest release.
Founded in 2014, APKPure offers access to numerous Android apps and historical versions unavailable on the Google Play Store, boasting a massive user base. In 2023, Huya, a live streaming platform for games, acquired 100% of APKPure’s equity from Tencent for $81 million in cash. This platform has a spotty security track record: in 2021, Kaspersky reported that its client app contained an SDK laden with malicious ad code; in October 2025, Dr.Web uncovered a modified Telegram X version containing the Baohuo backdoor circulating on APKPure. Security experts strongly advise that users should only download Telegram’s Android APK from telegram.org or the official Google Play Store, as any version sourced from third-party stores carries unknown risks.