Traffic analysis revealed ads, trackers, third-party SDKs, and even server spoofing in one popular client.
Telegram outages in Russia have once again fueled demand for workarounds, but with the growing interest in VPNs (virtual private networks) and unofficial clients , the risks have also increased. An RKS-Globa study on alternative Telegram clients for Android paints a disturbing picture: some popular apps don't simply add "convenient features" but send user data to third-party infrastructure, including in Russia.
The authors of the study analyzed eight clients using static analysis of APKs (Android installation packages) and dynamic network traffic analysis. The researchers used the official Telegram version 12.4.3 as a benchmark and then compared the behavior of Telegram X, Plus Messenger, Nekogram, Graph Messenger, Telega, iMe, Forkgram, and Mercurygram. The analysis covered the initial app launch and initial network requests, without exploiting vulnerabilities or collecting real user data.
The study draws the most damning conclusions regarding Telegram. According to RKS-Global, the app secretly replaces Telegram servers with its own nodes in Kazan, and all MTProto traffic is routed through Russian proxies. At the same time, the client sends analytics to VK's infrastructure, including Telegram user ID and VPN usage, and routes calls through services linked to OK.ru. If the study's findings are accurate, this is no longer a matter of controversial telemetry, but a complete change in the messenger's trust model.
Graph Messenger and iMe, according to the researchers, also raise questions, although their scenario is less extreme. Both clients transmit data through built-in advertising and analytics modules to Yandex and VK Group servers. The authors also note that several alternative clients include Firebase Analytics (Google's analytics service), while the official Telegram explicitly disables such data collection. The more advertising SDKs (development kits) and external trackers an app contains , the higher the risk of metadata leakage, user profiling, and data transfer to third parties.
Mercurygram and Forkgram were at the other extreme. At the time of testing, both clients showed a "clean" network profile, with no data sent to third parties. The researchers immediately clarified an important detail: a good rating in one version does not guarantee lifetime security, as any developer can change the code in the next update and add new data collection mechanisms.
A separate discovery is even more alarming. During their investigation, the authors stumbled upon a trojanized application masquerading as Telegram X. According to RKS-Global, the malware hijacks Telegram sessions, joins channels, intercepts messages with the ability to spoof content, and facilitates account takeover. The original Telegram X, on the other hand, received a good rating during testing and even showed a cleaner profile than the official client.
The study's main conclusion is simple. For sensitive communications, the official Telegram remains the safest option, and installing random forks to circumvent restrictions may result not in restoring access, but in the leaking of communications , account loss, or the transfer of metadata to third-party infrastructure. Amid speculation about the service's possible further blocking in Russia, this risk is no longer a theoretical threat, but a very practical problem for millions of users.
Telegram outages in Russia have once again fueled demand for workarounds, but with the growing interest in VPNs (virtual private networks) and unofficial clients , the risks have also increased. An RKS-Globa study on alternative Telegram clients for Android paints a disturbing picture: some popular apps don't simply add "convenient features" but send user data to third-party infrastructure, including in Russia.
The authors of the study analyzed eight clients using static analysis of APKs (Android installation packages) and dynamic network traffic analysis. The researchers used the official Telegram version 12.4.3 as a benchmark and then compared the behavior of Telegram X, Plus Messenger, Nekogram, Graph Messenger, Telega, iMe, Forkgram, and Mercurygram. The analysis covered the initial app launch and initial network requests, without exploiting vulnerabilities or collecting real user data.
The study draws the most damning conclusions regarding Telegram. According to RKS-Global, the app secretly replaces Telegram servers with its own nodes in Kazan, and all MTProto traffic is routed through Russian proxies. At the same time, the client sends analytics to VK's infrastructure, including Telegram user ID and VPN usage, and routes calls through services linked to OK.ru. If the study's findings are accurate, this is no longer a matter of controversial telemetry, but a complete change in the messenger's trust model.
Graph Messenger and iMe, according to the researchers, also raise questions, although their scenario is less extreme. Both clients transmit data through built-in advertising and analytics modules to Yandex and VK Group servers. The authors also note that several alternative clients include Firebase Analytics (Google's analytics service), while the official Telegram explicitly disables such data collection. The more advertising SDKs (development kits) and external trackers an app contains , the higher the risk of metadata leakage, user profiling, and data transfer to third parties.
Mercurygram and Forkgram were at the other extreme. At the time of testing, both clients showed a "clean" network profile, with no data sent to third parties. The researchers immediately clarified an important detail: a good rating in one version does not guarantee lifetime security, as any developer can change the code in the next update and add new data collection mechanisms.
A separate discovery is even more alarming. During their investigation, the authors stumbled upon a trojanized application masquerading as Telegram X. According to RKS-Global, the malware hijacks Telegram sessions, joins channels, intercepts messages with the ability to spoof content, and facilitates account takeover. The original Telegram X, on the other hand, received a good rating during testing and even showed a cleaner profile than the official client.
The study's main conclusion is simple. For sensitive communications, the official Telegram remains the safest option, and installing random forks to circumvent restrictions may result not in restoring access, but in the leaking of communications , account loss, or the transfer of metadata to third-party infrastructure. Amid speculation about the service's possible further blocking in Russia, this risk is no longer a theoretical threat, but a very practical problem for millions of users.
