PHBREAKING: Nekogram is secretly sending your phone numbers to the developer.
The backdoor is hidden in the Extra.java file, which differs from the template uploaded to the repository. The obfuscated code sends data as an inline request to @nekonotificationbot, leaving no trace.
More info: You do not have permission to view the full content of this post. Log in or register now.
(locked by Nekogram devs)
To validate this, a developer built a PoC — an LSPosed module that replaces the bot ID and username to theirs, redirecting all requests to it. This independently confirmed that phone numbers are being collected. Every. Login.
PoC available here:
You do not have permission to view the full content of this post. Log in or register now.
The developer's response when confronted:
Screenshots:
The backdoor is hidden in the Extra.java file, which differs from the template uploaded to the repository. The obfuscated code sends data as an inline request to @nekonotificationbot, leaving no trace.
More info: You do not have permission to view the full content of this post. Log in or register now.
(locked by Nekogram devs)
To validate this, a developer built a PoC — an LSPosed module that replaces the bot ID and username to theirs, redirecting all requests to it. This independently confirmed that phone numbers are being collected. Every. Login.
PoC available here:
You do not have permission to view the full content of this post. Log in or register now.
The developer's response when confronted:
Screenshots:
