Telegram Fundamentals

It is 2 years since I did my first blog relating to messenger apps and what from an OSINT perspective we could find from them. In OSINT you will hear a lot said about false, positives, well what about false negatives.

I have decided to do a short follow up blog on Telegram and how it has changed over time just like Twitter and Facebook have done to embrace privacy and how this may affect OSINT research. I have used Telegram 8.4, an I-Phone iOS 15 and an Android 9 device  for this blog.

Telegram has divided opinion within the privacy community as to its merits, most hardcore privacy enthusiasts I believe would not recommend it. From an OSINT perspective it has been a rich source of intelligence but times have moved towards a more privacy focused platform now.

Telegram originated in St Petersburg, Russia, the development team is now based in Dubai. The servers are apparently based in different locations around the globe. You can chose to store your data locally or on Telegram’s servers. It had an uplift in popularity last year when there was the furore over WhatsApp’s new ToS.

Personally I wouldn’t use it just as a means of communication but I can see its appeal. It does offer a kind of end to end encryption (E2EE) through its secret chat facility but there has to be user interaction as opposed to enabled by default and there has been some debate as to whether Telegram have the back door encryption keys and how secure the encryption actually is.

But even Telegram in these new times of the privacy conscious user, has had to adapt to the times and this will have an effect on how Telegram is used and also researched from OSINT perspective. Certainly since I wrote my previous blog on messenger apps in Jan 2020, Telegram has changed. Telegram has very flexible, privacy and security options which I will outline later in more details.

How to Access Telegram

Telegram is very practical to use and has three ways in which to access it, app, desktop or if you do not want to download any software direct to your computer, you can use the web access through a browser; which can be achieved by either the mobile number you used to sign up or by scanning the QR code using the Telegram app. I have noticed that the desktop client can record the fact that is in a VM if you chose to use one.

OPSEC alert, if you chose to use the above method to see if a number is on Telegram, it will send a code or SMS to the  user of the account and in any case even if you input a number not linked to a Telegram account it will still tell you that it has sent a code, so you would be none the wiser as to whether the number was linked to an account.

A Telegram user cannot have multiple numbers on one Telegram account. Each number will represent a different account. On Signal you can lock a number to an account, there does not appear to be this option on Telegram however If you try to use a number already assigned to a Telegram account, you cannot use the number until that other account is deleted.

The above may well be an alternative way to see if a number is linked to a Telegram account where  a POI has locked down their privacy and security settings. I haven’t seen any indications that the other account is notified that an attempt has been made to use their number on a new account.

Most of what I discuss below is based on the Privacy & Security option within Telegram’s Settings menu.

Once over a user was automatically discoverable to everyone by their mobile number however this is now disabled by default. For the OSINT investigator this may lead them to think that the subject of interest is not using Telegram, if they have chosen to use a mobile number as a search operator, as in syncing contacts for example.

The methodology now may dictate that you try and find a username or display name linked to another platform where the subject mobile has been used and then search Telegram that way.

The Basics

I will cover first what steps you have to take once you have downloaded Telegram from the Google Play Store.

A new user will need a mobile number to enable them to create an account, as they will be sent a verification code. The mobile number does not have to be the users real number. I have had success with VOIP numbers but remember some VOIP numbers are not able to process short codes, so you have to wait for the SMS verification to time out and Telegram will then ring you with the verification code.

The next screen takes you through to where to input a name, a first name is mandatory, a last name is optional. Needless to say a person can use whatever name or random characters they like.

Then the user has to accept the ToS. The next screen will then show them which of their contacts are also on Telegram. This is why it is important from an OPSEC perspective that you use a clean phone for the install, using a personal phone will create OPSEC issues for you. You are able to stop Telegram syncing your contacts.

You can follow the steps below but turn off the Contact sync.

Sometimes contact sync does not work on Android, so if this does occur you can follow the below steps: –
•    Reinstall the app (do not open yet)
•    Go into Android Settings > Accounts > Telegram and enabled Contact sync
•    Open the app and check Contacts

If the above does not work for turning off contact sync on your particular flavour of Android or on Apple then you can deny Telegram access to your contacts via the permission manager before you open the app. For those who are researching Telegram and do not have the luxury of a fresh phone and clean install the above maybe advisable as you do not want Telegram telling all your contacts, who are there that you are now on the platform.

Default Settings

I am not sure how many people rush to the settings as soon as they have downloaded an app, but it is one for the first things I do, especially the privacy and security settings. Below is the default privacy settings from the Android.

By opening the settings the user can create a username, bio and upload a profile photo. The display name will be the name that was provided at the above activation stage.

A username is not mandatory to be able to use Telegram however if they do chose one then they are public and they cannot be hidden. The advantage however for a user by setting up a username is that they can share this with other users on Telegram and avoid having to share their telephone number.

Usernames are also searchable on the web, https://t.me/USERNAME.

A display name does not have to be unique but a username does.

Some of the ways to search Telegram are by display name or username in the search bar. You can see a user’s profile photo, and bio along with their last seen, depending on their privacy and security settings.

Being able to, ‘See’ a number is not the same as searching for that telephone number. The only way you could, ‘See,’ a number of a POI, is if they have altered their privacy settings, or if you were mutual contacts, syncing a number will not necessarily allow you to see who that number belongs to.

You will also be notified if a contact joins Telegram, although this can be disabled in the settings.

When I did my original blog, when you deleted a number from your contacts that you had synced with Telegram, you would be able to see the name the person had provided when they created their account that was held on Telegram server, this is no longer possible.

I will now take you through various settings that will effect not only your OPSEC but your ability to find subjects on Telegram.

A user can restrict who can see their phone number. By default it is now set to, “My Contacts,” you can restrict it even from your contacts. Once over it was set to, “Everybody.” A POI would have to change the default setting to, ‘Everyone,’ for the phone sync to work.

They can choose one of the following, Everyone, Contacts or Nobody. If you wanted however you can added exceptions from your contacts, so you can choose which of your contacts can see your number.

If they choose, Nobody, even their contacts will only be able to see their Telegram username and not their phone number. If they choose, ‘Nobody,’ they are then presented with a further option of who can find their number, Everybody or Contacts.

So their number is not exactly 100% not searchable but it is limited as you need to be mutual contacts and this is where from an OSINT perspective you mustn’t think just because you cannot find a number that you are interested in, that it does not necessarily mean that user of the number is not on Telegram.

There are other privacy settings that may make your OSINT research less fruitful. Telegram users can also restrict, last seen online, profile picture, voice calls and who can add then to a group or channel.

A Telegram user can restrict who can see their profile photo to their contacts and even then they can add exceptions as to who can and cannot see it.

Online Monitoring

Last seen has always been an interesting OSINT consideration and from an OPSEC perspective we wouldn’t want to be seen online, however if you want to see whether a POI is online then you must not change your settings to disable it, as this will stop you from seeing your POI’s online status.

If your POI has altered their online privacy settings this is what you may see: –

•    Last seen recently — covers anything between 1 second and 2-3 days
•    Last seen within a week — between 2-3 and seven days
•    Last seen within a month — between 6-7 days and a month
•    Last seen a long time ago — more than a month (this is also always shown to blocked users)

As an OSINT investigator if we see any of the above behavior all is not lost, yes we haven’t been able to find what we expected but It does potentially tell something about the POI that we are researching in that they may be OPSEC aware themselves, so therefore we have to adjust our methodology accordingly. Don’t think just because you cannot find someone or information about someone that they are not on Telegram.

A Telegram user can also restrict who can phone them on Telegram, the choices being, Everyone, Contacts & Nobody. Again they are able to add exceptions. A user has a choice of whether to use peer-to-peer to route their calls through Telegrams servers too. They may also disable iOS call integration as this will stop their call history from being shared with Apple, this facility did not appear to be available on the Android version I was using.

Built-in OSINT Tools

A nice little OSINT tool within Telegram that will assist you with translations in app when you are reading a message. Go to Settings – Language, you can then add a Translate Button to the context menu when selecting a message. Translation is available on all Android devices and iOS 15+. When you press and hold in a message the below box will present itself, click Translate.

The below example is from an I-Phone, where you can choose to translate off-line by going to Apple Settings – Translate – (toggle on) – On-Device Mode. If you don’t chose this method then the data is sent to Apple to translate online.

It appears that Telegram is also rolling out its own OCR for iPhone & Mac that allows you to strip out text from an image, say a copy of a letter for instance and then Telegram will re format it as text for you.

Dutch OSINT Guy has an excellent video, which explains how Telegram works and how to investigate it: –
https://www.youtube.com/watch?v=e_aXQYq2l6U

One of my favorite specialist OSINT teams Aware-Online have a good article on how to use the, ‘Nearby’ facility on Telegram: –
https://www.aware-online.com/en/search-for-telegram-groups-based-on-location/

The article is based on the use of a emulator, you can achieve the same results on a regular mobile phone by using a location spoofer app.

Finally, Telegram users can also enable further privacy and security features, that may be of interest to LE: –

•    In the device settings they can terminate sessions based on inactivity from 1 week through to 6 months.
•    They can set up the account to be deleted after a certain amount of inactivity, from 1 month up until 12 months.
•    Two step verification is by way of a password that you must use in addition to a SMS verification code if they want to set up a new device. This may be not be as good as a random generated software token or hardware device tokens but it is better than nothing at all. They can also set a recovery email address too if they wish. Telegram will notify them in app if any logon attempts are made on the account.
•    They can set up a six digit passcode to access the app. Once this is done they can then use the touch id or facial id to unlock the account. They can chose to lock the account after certain amount of inactivity too.

I hope the above goes someway to explaining how Telegram’s privacy and security settings may potentially limit your ability to research a POI and how we as OSINT researchers may need to adapt. I am a firm believer that an OSINT practitioner needs to understand the privacy & security settings of the platform they are investigating to avoid false, negatives.

What’s Up, with WhatsApp

I have been posting about WhatsApp recently so I thought I would make them all into a small blog.

I was surprised (Or maybe I wasn’t) that It was recently revealed that the Prime Minister was using WhatsApp to communicate with his cabinet. The Digital Exposure vulnerabilities to the PM, would immediately be apparent to a Hostile Threat.

The reason why a High Value Target such as the PM should consider moving to a more privacy focused alternative I would have thought would have been obvious.

Yes of course we know WhatsApp is encrypted, (they borrowed it from Signal) but it obtains a lot of metadata about the user, such as location information, contact information, user content, purchases, diagnostic information and more.

If you back your WhatsApp messages up to iCloud they are not encrypted, you may not even know you are backing your chats up to the iCloud if you haven’t taken the time to lock your mobile phone down.

Unless you know the work around you can only use WhatsApp by syncing your contacts. This is a massive OPSEC & Privacy vulnerability for a High Value Target. 89.6% of all phishing attacks carried on messenger apps are delivered using WhatsApp, the Israeli cyber intelligence company NSO use WhatsApp to deliver its spyware, Pegasus, which is aimed at people who would be considered High Value Targets and can infect both Android and iPhones.

Further reading: –

https://www.bbc.com/news/technology-57910355

https://www.techrepublic.com/article/the-most-dangerous-messaging-apps-on-android/#:~:text=New%20data%20from%20Kaspersky%20reveals,whopping%2089.6%25%20of%20detected%20attacks

https://www.theverge.com/2021/3/8/22319136/whatsapp-cloud-backups-icloud-google-drive-password-encryption-security

https://www.androidpolice.com/2020/04/08/3-ways-to-message-a-number-on-whatsapp-without-adding-them-as-a-contact-first/?amp

WhatsApp was founded in 2009 and bought by Facebook in 2014 for $19 billion, a figure that valued each of the app’s 450 million users at around $42 a head. Facebook’s biggest property is now WhatsApp. The price may seem astonishing but in reality $42 a head, is a small price to pay for all the metadata that they receive on a daily basis from users, data that could be monetised by Facebook itself or by selling the information to third parties.

The latest WhatsApp statistics show that two billion of its users access the messaging app every month (Statista, 2021). That’s 0.7 billion (or approximately 54 percent) more than its closest rival and parent company’s Facebook Messenger.

Don’t forget WhatsApp is rolling out a new Terms of Service globally which faced an initial backlash form users in relation to what information it would be sharing with its parent company.

Just think of how many people use WhatsApp to create groups, some will work in sensitive roles, so they can communicate when at work or outside of work with colleagues. WhatsApp won’t know what the text is in the message, but they could be able to work out who these people are, or buildings they work from etc, the metadata will not be anonymous.

For further reading on this subject https://www.wired.co.uk/article/whatsapp-instagram-facebook-data

I have also read articles that the PM’s mobile number was available online, it doesn’t appear he has been practicing good mobile hygiene or OPSEC.  If I was a, Hostile Threat, this would provide me with numerous opportunities and pivot points to exploit the number further.

If I was a, Hostile Threat, and I knew your mobile number, then I can gain a certain amount of access to your WhatsApp account. Better still if you leave your phone unattended I could either steal your account or duplicate it on my device, depending on what counter measures you have deployed.

I have recently read that WhatsApp is going to make syncing your WhatsApp account to other devices more seamless an experience. Maybe not the best option from a privacy and security perspective.

At least there is a certain amount of security currently, if someone does sync your account without your knowledge to the desktop app, it is reliant on your mobile phone having a stable internet connection, when you lose internet it breaks the connection to the desktop which means a Hostile Threat would need to re-sync your account. You should always check the, ‘Linked Devices’ in your settings.

I totally understand that WhatsApp is convenient and all your friends and family are probably using it. In reality it is a personal choice and what you consider your own personal Threat Model to be. There is always a balance to be struck between, Privacy, Security and Usability.

Check out my other blog at https://www.cqcore.uk/something-a-little-different/ if you are interested in having more private, secure communications.

© cqcore 2021

WeChat, IMO and OSINT

(First Published on Medium February 2020)

Further to my recent blog post on how we can leverage messenger apps for OSINT. I mentioned two apps that needed further examination, WeChat & IMO, the below is above and beyond entering a subject mobile number which you want to research but will give you a taster of what you can find.

Within the UK we have communities that are culturally diverse who have international heritage. This I’m sure will be replicated within Western Europe and the US too. It is important as an OSINT investigator in that case to look beyond the popular Western apps such as WhatsApp.

WeChat is enormously popular in China with over 1.132 billion monthly active users. A figure I found from 2016 suggested that WeChat is used by 70 million people outside of China too.

IMO isn’t as popular but boasts in the region of 200 million users as of 2018. From the research I carried out on the app, it appears popular in the Middle East, Pakistan & India.

Now both these apps appear not to have the same privacy considerations as other more popular messengering apps. This maybe down to a different cultural attitude towards privacy. From the articles I have read certainly the Chinese Government appears to have an amount of influence in relation to WeChat. I mentioned previously I was having issues with the desktop client, this I believe is down to the use of a VPN and other Opsec measures deployed.

WeChat is China’s version of Facebook, plus more. It has a search bar functionality, you can use it to buy items in a similar way to Apple Pay or Google Pay. I’ll stop there.

So moving on, within the WeChat, Discover menu you will see people who are nearby your location. I tested this feature at a venue I went to recently and it was showing people within 100 metres of my location. (I haven’t tested its accuracy)

The following information was using Paris as my location, someone appeared to be within 600 metres of my location however they do not appear to be a Parisian. In essence when you create your WeChat account you select the Region you are from. This person was from the city of Fuzhou in the Fujian Province of China.

The, “What’s Up” field is an area where you can add pretty much anything you like. In this case a mobile number appears to have been entered which has a French prefix. (Maybe a tourist who has purchased a French mobile for their trip.)

Now to protect this person privacy I won’t include any screenshots etc but what I can tell you, is that there was a name and profile picture. WeChat has a, Moments page on a user profile, similar if you will to Facebook’s Timeline On the 24th November 2019 this user had posted a picture of them self with the back drop of a coastline.

So we have a location, profile picture, name, mobile number and recent visited location, which could be reversed image searched, all within about 5 minutes.

IMO will show you in the, Explore, menu who is presently Online, Nearby Groups and also a Live option, which allows you to stream live. When I tested this on a burner I-Phone the live option wasn’t available. Within the Live menu you have, Recommend, Nearby, Language & Country.

These Explore options are no way as granular as WeChat. So for instances the, “Nearby Group” option returns groups quite a distance away probably reflected in the fact that this app is not as popular as WeChat.

The, “Who is presently on line,” will allow you to send a, “Wave” to anyone and they can also sent you a wave back. Once you accept a wave you can start chatting. You do not have to sent a, “Wave” to see their profile information.

From an OSINT perspective it allows you access to their profile picture and any other bio information they may have on show. You will obtain the name that they have given themselves too as is the same with WeChat. Something to note, you can see people who have visited you in your profile settings so it goes without saying that your subject will be able to see your visits too.

So I looked at someone who was online and found the following information came from the first person on the list.

Name, profile picture, the city in the UK where they lived, their employment status, current relationship status as well as what may have been a picture of their living room. Clearly from an OSINT perspective there are opportunities to explore from what has been found.

Now the purpose of this blog is to highlight the potential for OSINT if we look outside of the traditional messaging apps that we associate with the West and to give a little bit of an insight on what can be found. If you want to use this blog to improve your privacy, then that’s cool too.

Disclaimer:- before attempting to use any of these apps please think of your OpSec and do not use any device that is linked to you personally. What you discover will be dictated by the privacy settings of the other users.

Also a little clarity in relation to the use of an emulator, one article I read in relation to WeChat stated that if WeChat detected the use of an emulator they would suspend your account.

In my next blog I will write about the setup I used to conduct the research into the messenger apps.

OSINT & Messenger Apps

(First Published On Medium January 2020)

Throughout 2019 one thing that is obvious about the OSINT community is how much work people do in their own time and how willing they are to share their work.

So I decided that over the Christmas Holidays I would look at the many messenger apps that are available and see what information could be leveraged using a Subject’s mobile phone number. I wanted to see what information could be obtained from the app and the desktop versions. This is very much a whistle stop tour and please take what I have done and build on it.

Below is an illustration of which apps are popular across the Globe.

Source www.messengerpeople.com

Much of what you will be able to discover about a target mobile number will depend not just on the privacy settings of your target app but also your privacy settings.

It is important to learn how each app works and what potential trace you leave your Subject to see.

All the apps seen here offer the investigator / researcher different things and rely somewhat on the on the information that the target has supplied when creating their accounts.

Strava, Voxer, Skype, have the potential to give location information and other personal information. Apps such as GroupMe, Line, Skype, Strava,Telegram, Wire will provide you with the name that the target has provided when the account was created and not the one that you may have created in your contacts.

Apple Facetime and Google Duo do not seem to offer much in relation to profile photo or personal information. Where they do come in useful however is that you are able to potentially confirm the existence of an Apple or Google account.

Facebook, Facebook Messenger and Instagram appear to make searching contacts difficult in that they will blend you contact in amongst other people so obfuscating your Subject.

You have to sometimes be patient too as not all the apps sync straightaway or are consistent in how often they sync.

Google Duo - App & Website

Confirms a person is on Duo.
It will tell the person that you have added them to your contacts that you are now on Duo too, so this may be an issue depending on what your objective is.
For those in LE however it does present an opportunity because you have a real world number associated with a Google product.

Facebook Messenger - App / Website

Profile Picture and details from a Facebook bio.

Facetime


What I have noticed is that if you add a contact on an Apple I-Phone it will tell you whether that contact number is on Facetime. So we can easily establish that your subject is potentially using an Apple product.
For those in LE it presents an opportunity because you have a real world number associated with an Apple product.

GroupMe - App / Website

Will provide Profile photos the name of the contact on the Server not from your phonebook.

ICQ - App / Website


Profile Picture, Nickname, Name, BIO & last seen.
Will show when someone is on-line.

IMO - App / Desktop

Profile Picture and also the name they have provided to their account as well as last seen.
It will show the other person if they are on IMO that you have joined and that you have added then to your contacts.
IMO also shows everyone who is presently on-line (not just your Subject) and also nearby groups but this is something I am still exploring.

Line

Profile picture. The other person has to have altered the settings to allow them to be added as a contact
Your subject will see you as a Friend / Friends Recommendation depending on their phone. It will also show when someone is on-line.
When you click on your contact it will show the name you have given them but underneath it will also show you the name they have given them themselves, as their display name.

Skype - App / Desktop

Skype is one of my favourites as people who use it tend to give up more information, which I assume is down to the fact this is a professional / business messenger service.
Skype will display, username, profile picture. It will provide the name as per the server not your contacts, also location information of where they say they are from along with a date of birth.

SOMA - App

Profile Picture, last scene online, status (Very similar to Whatsapp)

Telegram - App / Desktop

You can see a user’s profile photo, username and bio along with their last seen.
If you are using the desktop client of Telegram it will show their previous profile photos too.
Now I have had mixed results depending on the device I have been using. If your Subject  is not on Telegram it will tell you how many of their contacts are.
One of my favourite bloggiest @aware-online has an excellent tutorial on how geolocate groups on Telegram.

Strava

Will show profile picture and the name on Strava server not in your contacts. Will also show the location they are from if this field has been completed and Bio info.

Viber - App / Desktop

Viber will enable you to see a person’s profile picture as well as last seen, online. (Very similar to Whatsapp)

Voxer

• Profile Picture, username, location of where they say they are from.

WeChat - App

• I am still working with this one as I am having issues with the web version.
• With WeChat you have to get another user to scan your QR code to enable you to use the app.
• You can see a person’s profile picture.
• Similar to Telegram you can see nearby users which will show you their profile picture and name.

WhatsApp ¬– App / Desktop

Profile picture, Last seen, Status & About Me.
Even if, “Last Seen,” is disabled and their privacy settings are locked down you can still appear to be able to see when your subject is on-line.

Wickr – App / Desktop

Username & profile picture.
You can choose to add a phone number too which is then searchable, email and names are also searchable. You can see their online status. You can search for rooms.

Wire - App / Desktop

Profile username, picture and name from Wire servers.

Now I have left this one to the last:-

Signal - App / Desktop


From what I can see it is very difficult to leverage anything from Signal apart from confirmation that somebody has the app. For those who like their privacy this may just be the app for you.