Complete technical analysis of a Man-in-the-Middle attack built into the Telega unofficial Telegram client. DC proxy IP substitution, RSA key injection, PFS disabling, secret chat suppression, and government censorship infrastructure.
ru.dahl.messenger — confirmed spyware.Unofficial Telegram client with built-in MITM proxy, rogue RSA key, disabled PFS, suppressed secret chats, and government censorship integration (RKN). All Telegram traffic is interceptable.
Telega is an unofficial Telegram client (ru.dahl.messenger) marketed as a "faster, more convenient" alternative. In reality, it is a state-sponsored surveillance tool with a built-in Man-in-the-Middle attack against Telegram's encryption.
On March 18, 2026, Telega's operators activated a hidden MITM function that redirects all Telegram traffic through their own proxy servers. They replace Telegram's DC IP addresses, inject a rogue RSA public key, disable Perfect Forward Secrecy, suppress end-to-end encrypted secret chats, and operate censorship panels (Zeus, Cerberus) that process blocking requests from Russian government agencies (RKN).
1. Replaces Telegram servers with its own. On startup, Telega fetches proxy config from api.telega.info/v1/dc-proxy, receiving IP addresses in the 130.49.152.0/24 range (AS203502, "JOINT STOCK COMPANY TELEGA"). These replace real Telegram data center addresses. All your traffic now flows through Telega's infrastructure.
2. Injects a rogue encryption key. The APK's native library (libtmessages.49.so) contains 4 RSA public keys. Official Telegram has only 3 of these. The extra key (at address 0x15788E1) is accepted only by Telega's proxy servers — proving they hold the private key. This enables full traffic decryption.
3. Forces re-login to seize encryption keys. Via silent push notifications (dc_force_switch, dc_update_version) or a deceptive promo banner ("Re-login to speed up your connection"), Telega forces a logout that destroys your auth_key. The new handshake goes through MITM, giving them a fresh encryption key.
4. Disables Perfect Forward Secrecy. Official Telegram hardcodes PFS as true. Telega defaults it to false via /dc-proxy options. Without PFS, a single key compromise exposes all past and future messages.
5. Silently blocks secret chats. Via Firebase Remote Config (enable_sc=false), Telega suppresses all E2E encrypted secret chats. Incoming requests are silently ignored. The "Start Secret Chat" button is hidden. Users never know.
6. Censors content on government orders. Built-in blacklist system (api.telega.info/v1/api/blacklist/filter) blocks channels, users, and bots for all Telega users, showing "Content unavailable due to platform policy violations" — making users think Telegram blocked it, not Telega.
7. Operates moderation panels for RKN. Two discovered panels: Zeus (ticket system for Roskomnadzor blocking requests) and Cerberus (real-time AI-powered message moderation Mini App). Both found on stage.telega.info subdomains.
8. Collects extensive device data. Reads contacts, photos, running processes, accounts, phone state, network info, location (fine + coarse + background). Uses Yandex AppMetrica for analytics. Checks for root, debugger, QEMU emulator to evade analysis.
This is not a "minor privacy concern". Telega operators can: read all incoming and outgoing messages in any chat, view full message history, modify message content, block channels/users while blaming Telegram, store all your data and share it with third parties — especially law enforcement.
One Telega user compromises all their contacts. Anyone who messages a Telega user has their messages intercepted — even if they use the official Telegram client. The contacts don't know and can't consent.
Telega is worse than a government messenger. At least with a government app, you know your messages are monitored. With Telega, you believe you're using Telegram's encryption — while everything flows through state-connected infrastructure.
If you use Telega: Uninstall immediately. Log out of all Telegram sessions from Settings → Devices. Change your 2FA password. Warn your contacts that your messages may have been intercepted.
If you don't use Telega: Warn anyone who does. Block api.telega.info, gate.telega.info, and the 130.49.152.0/24 subnet at your network perimeter. Use only the official Telegram client or Telegram's built-in proxy.
YonSeSecurity Threat Score: 8.0 / 10 — CRITICAL. If you used Telega, consider all Telegram messages compromised.
Telega (ru.dahl.messenger) is an unofficial Telegram client for Android that embeds a fully functional Man-in-the-Middle attack against the MTProto protocol. The application replaces Telegram data center IP addresses with proxy servers controlled by AS203502 ("JOINT STOCK COMPANY TELEGA"), injects a fourth RSA public key not present in official Telegram, and disables Perfect Forward Secrecy — enabling complete interception, decryption, and modification of all user traffic.
Sandbox analysis by Recorded Future scored the sample 8/10 (Likely Malicious) across two independent runs, flagging defense evasion, data collection, execution, persistence, and impact behaviors. Reverse engineering of the APK (jadx) and native library (IDA Pro on libtmessages.49.so) confirmed the MITM infrastructure at the code level.
Additionally, Telega operates two moderation/censorship panels discovered on stage.telega.info: Zeus (a ticket system processing Roskomnadzor blocking requests) and Cerberus (a Telegram Mini App for real-time AI-powered message moderation). The upstream AS of Telega's network is AS47764 LLC VK (Mail.ru), indicating potential ties to Russian state-connected technology companies.
Classification: Spyware / MITM Proxy / Government Surveillance Tool
| Field | Value |
|---|---|
| Filename | Telega_(RS)_v.2.4.0(104)(7.0-15.0)(arm7a,arm64-8a).apk |
| Size | 129.5 MB |
| SHA256 | ca47b6d304aeeff3be30c564f50939df4463aef810974c2e306eb9ef006d34f0 |
| Package | ru.dahl.messenger |
| Platform | Android 7.0–15.0 (arm7a, arm64-8a) |
| Sandbox IDs | 260324-wx176sds9n, 260324-w2hxdshw7y |
| Sandbox Score | 8 / 10 — Likely Malicious |
| Sandbox Platform | android-35-x64-arm64-20260306-en |
| Analysis Tags | collection defense_evasion discovery execution persistence impact |
| Distribution Site | telega.me |
| Telegram Channels | @dahlmessenger, @telegaru |
On startup, Telega's DCRestService makes a GET request to https://api.telega.info/v1/dc-proxy. The response contains replacement IP addresses for all 5 Telegram data centers:
All IPs are in 130.49.152.0/24, belonging to AS203502 "JOINT STOCK COMPANY TELEGA", registered November 24, 2025 (very recent). The sole upstream is AS47764 LLC VK (Mail.ru), and the neighboring subnet 130.49.224.0/19 also belongs to VK. This raises questions about how a "small startup from Kazan" obtained its own autonomous system number and a /24 IP block. These IPs replace the real Telegram DC addresses (e.g., 149.154.167.50 for DC2 in Amsterdam).
LoginActivity.onFragmentCreate() → DCAuthHelper.initialize() → DCRepository.fetchAndSaveDcs() → GET api.telega.info/v1/dc-proxy → DCRepository.handleDcConfig() → ConnectionsManager.setDcVersion() with Telega's IPs replacing all Telegram DCs.
Firebase Remote Config includes connection_no_vpn_mode: "true", actively discouraging VPN usage. When Telega mode activates (dcVersion == 2), all user-configured proxies are silently deleted:
Telega can force logout via multiple vectors, destroying the auth_key and forcing a new MTProto handshake through the MITM proxy:
| Vector | Class | Trigger |
|---|---|---|
| Silent push | TelegaPushHandler | type=dc_update_version, force_relogin=true |
| Silent push | TelegaPushHandler | type=dc_force_switch, force_reconnect=true |
| Deep link | DCDeepLinkHandler | tg://dc_event?force_relogin=true |
| Promo banner | DCMigrationHelper | "Re-login to speed up your connection" |
The promo banner (classes PromoRestClient, DahlBannerCell, DCMigrationHelper) shows:
The TelegramBridge.logout() method executes three destructive operations:
Analysis of libtmessages.49.so (arm64) via IDA Pro reveals 4 RSA public keys. Official Telegram contains only 3 of these:
| Address | In Telegram? | Status |
|---|---|---|
| 0x1576FFC | Yes (0x15704DC) | Legitimate |
| 0x15788E1 | NO | ROGUE KEY |
| 0x1578A8B | Yes (0x1571CAE) | Legitimate |
| 0x1578C35 | Yes (0x1571E58) | Legitimate |
A Python script performing MTProto handshake with the rogue key fingerprint 0x2c945714333b5ebd was tested against both servers:
Conclusion: Telega's proxy server holds the private key for the rogue RSA key — confirming they can decrypt the initial MTProto handshake and establish MITM.
Official Telegram hardcodes PFS as true at build time. Telega defaults to false, controlled via the /dc-proxy endpoint:
Without PFS, the permanent auth_key encrypts all traffic. If Telega obtains this key (via MITM handshake), all past and future messages are decryptable.
Firebase Remote Config sets enable_sc = false. The full config dump reveals additional concerning flags:
Since FeatureManager.currentInstance().isSCEnabled() returns false, incoming secret chat requests are silently ignored. The "Start Secret Chat" button is hidden. Deep links to secret chats are suppressed. Users have no indication that E2E encryption is unavailable. Critically, this flag is server-controlled — Telega can toggle secret chats on/off remotely at any time.
Telega's client contains a blacklist filtering system that blocks content for all users:
| Check Location | Effect |
|---|---|
| ChatActivity.checkIsBlacklisted | Blocks opening chat |
| ProfileActivity.checkIsBlacklisted | Blocks viewing profile |
| PeerStoriesView.checkIsBlacklisted | Blocks viewing stories |
Results are cached locally in moderation_list SharedPreferences. The overlay displays: "Content unavailable — This [chat/channel/bot] is unavailable due to platform policy violations" — impersonating Telegram's own blocking.
Discovered at demo.stage.telega.info. A web panel for processing government blocking requests with 3 project categories:
| Project | Description | Source |
|---|---|---|
| REESTR | Channel/group/bot restriction requests | RKN (Roskomnadzor) |
| Personal Data | User personal data requests | RKN |
| Content Risks | Disinformation, media content | Internal |
Telegram Mini App at cerberus-webapp.telega.info for real-time message moderation with AI classification:
| Feature | Detail |
|---|---|
| AI Toxicity Threshold | 80% (auto-delete above threshold) |
| AI Spam Threshold | 85% |
| Auto-delete | Enabled by default for high-confidence violations |
| Auto-ban | After 3 violations |
| Actions | delete, ban, reply, escalate |
Two independent Recorded Future Sandbox runs confirmed the following malicious behaviors:
| Behavior | Indicator |
|---|---|
| Root detection (9 paths) | /system/bin/su, /data/local/bin/su, /system/sd/xbin/su, /data/local/su, /system/app/Superuser.apk, /sbin/su, /data/local/xbin/su, /system/bin/failsafe/su, /system/xbin/su |
| Emulator detection | /dev/socket/qemud, /dev/qemu_pipe |
| Debugger detection | Checks presence of debugger |
| CPU fingerprinting | /proc/cpuinfo |
| Data Type | Indicator |
|---|---|
| Contacts | content://com.android.contacts/contacts |
| Photos | content://media/external/images/media |
| Accounts | IAccountManager.getAccountsAsUser |
| Running processes | IActivityManager.getRunningAppProcesses |
| Network info | IConnectivityManager.getActiveNetworkInfo |
| Phone operator | Reads network operator info |
Sandbox file artifacts reveal city-specific theme images targeting Russian/Chechen regions, and data for 3 separate Telegram accounts:
| Artifact | Significance |
|---|---|
| dahl_russia.png | Russia-wide theme |
| dahl_kazan.png | Kazan (Telega's claimed origin) |
| dahl_piter.png | Saint Petersburg |
| dahl_moscow.png | Moscow |
| dahl_makhachkala.png | Makhachkala (Dagestan) |
| dahl_groznyi.png | Grozny (Chechnya) |
| dahl_day_theme.attheme | Custom theme engine |
| account1/stats2.dat, account2/stats2.dat, account3/stats2.dat | Multi-account support (3 accounts) |
| remote_en.xml | Remote localization config |
| Behavior | Indicator |
|---|---|
| Scheduled tasks | IJobScheduler.schedule |
| Wake lock | IPowerManager.acquireWakeLock |
| Crypto APIs | javax.crypto.Cipher.doFinal |
Telega requests an excessive set of Android permissions far beyond what a messaging app needs:
| Permission | Risk |
|---|---|
| ACCESS_FINE_LOCATION | Precise GPS tracking |
| ACCESS_BACKGROUND_LOCATION | Track location when app is closed |
| RECORD_AUDIO | Microphone access |
| CAMERA | Camera access |
| READ_CONTACTS | Full contact list |
| WRITE_CONTACTS | Modify contacts |
| READ_PHONE_STATE | Phone number, IMEI |
| READ_PHONE_NUMBERS | All phone numbers |
| CALL_PHONE | Initiate calls without UI |
| READ_EXTERNAL_STORAGE | Access all files |
| WRITE_EXTERNAL_STORAGE | Modify all files |
| READ_MEDIA_IMAGES/VIDEO/AUDIO | Access all media |
| GET_ACCOUNTS | List all device accounts |
| REQUEST_INSTALL_PACKAGES | Install APKs silently |
| SYSTEM_ALERT_WINDOW | Draw over other apps |
| BLUETOOTH_CONNECT | Access paired BT devices |
| ACCESS_MEDIA_LOCATION | GPS coordinates from photos |
| POST_NOTIFICATIONS | Push silent notifications (MITM triggers) |
| BIND_TELECOM_CONNECTION_SERVICE | Telecom service binding |
| BIND_REMOTEVIEWS | Remote view service binding |
| BIND_CHOOSER_TARGET_SERVICE | Target chooser binding |
| Country | Destination | Domain | Proto | Analysis |
|---|---|---|---|---|
| N/A | 224.0.0.251:5353 | — | UDP | mDNS multicast |
| RU | 158.160.224.173:443 | gate.telega.info | TCP | Telega API gateway |
| NL | 149.154.167.50:443 | — | TCP | Telegram DC2 (real) |
| NL | 149.154.167.51:443 | — | TCP | Telegram DC2 (real) |
| RU | 213.180.204.244:443 | startup.mobile.yandex.net | TCP | Yandex SDK init |
| RU | 213.180.193.226:443 | report.appmetrica.yandex.net | TCP | Yandex analytics |
| RU | 213.180.204.244:443 | nq.appmetrica.yandex.net | TCP | Yandex metrics |
| US | 142.250.*.443 | firebase-settings.crashlytics.com | TCP | Firebase/Crashlytics |
| US | 142.250.*.443 | firebaseremoteconfig.googleapis.com | TCP | Remote Config (enable_sc) |
| AU | 1.1.1.1:53 | chrome.cloudflare-dns.com | UDP | Cloudflare DoH |
| US | 172.64.41.3:443 | chrome.cloudflare-dns.com | TCP | Cloudflare DoH (bypass) |
| US | 142.250.191.14:443 | www.youtube.com | TCP | YouTube integration |
COMPOSITE THREAT SCORE: 8.0 / 10 — CONFIRMED SPYWARE WITH MITM CAPABILITY
api.telega.info, gate.telega.info at DNS/proxy level130.49.152.0/24 (AS203502) at the firewall*.stage.telega.info subdomainsru.dahl.messenger package on managed Android devices (MDM)telega.info domain and subdomainsTelega replaces Telegram DC addresses with proxy servers it controls, injects a rogue RSA key whose private counterpart is held by Telega's servers (cryptographically proven), and disables PFS. This is a textbook Man-in-the-Middle attack against MTProto.
The upstream AS is VK (Mail.ru). Moderation panels process RKN blocking requests. The infrastructure's sophistication (own AS, /24 IP block, multiple moderation panels) is inconsistent with a "small startup from Kazan" — pointing to state backing.
Users believe they are using Telegram's encryption. In reality: PFS is off, secret chats are suppressed, and all traffic flows through a MITM proxy. No notification, no consent, no indication.
One Telega user compromises all their contacts. Anyone messaging a Telega user has their messages intercepted — even on the official client. The privacy violation extends to everyone in the contact network.
Using Telega is equivalent to handing your phone to a stranger with government connections. Unlike a known government app, Telega creates the illusion of Telegram's privacy while operating as a surveillance pipeline. Years of message history, subscribed channels, and contact networks become accessible.