Does Telega app perform MITM attack?

Sonar Pro

Vote: Yes

I maintain my vote for **A: Yes**. Source [1] provides a direct technical analysis of the **Telega Android client**, explicitly stating it revealed 'signs of a MITM attack, an additional RSA key, and integration with Russia's Roskomnadzor' for intercepting Telegram traffic. This is specific to Telega and matches the MITM definition: unauthorized interception and potential alteration. Other models' arguments fail because: - They confuse Telega with Telegram itself (e.g., Gemini) or generic clients (DeepSeek, GPT), ignoring [1]'s targeted evidence. - Grok describes a different Telega (web-based, telega.app), but [1] specifies the Android client with proven malicious behavior. - Claude supports A but vaguely; [1] is concrete proof. No sources contradict [1], the most authoritative and relevant. General Telegram vulns ([2]-[6]) are irrelevant to this specific app. Telega performs MITM per direct evidence.

GPT-5.4

Vote: No

I maintain vote B. The arguments for A are too vague and unsupported within the deliberation. Sonar Pro references a specific analysis, but provides no verifiable details beyond a bare claim about an extra RSA key and Roskomnadzor. Claude Opus 4.6 is even more general, asserting malware-like behavior without tying it clearly to a well-identified Telega app. The core ambiguity is what “Telega app” refers to. In common usage, it can mean Telegram itself, or a third-party Telegram client. In either case, being a client endpoint is not the same as performing a MITM attack. A MITM requires secretly interposing between two other parties’ communication. The B-side arguments are more careful: absent concrete evidence that this specific app installs rogue certificates, intercepts third-party traffic, or transparently relays communications as an unauthorized intermediary, the MITM claim is not established. General suspicion about unofficial clients is not enough. So the stronger final position is No: there is insufficient credible evidence here that Telega, as asked, performs a MITM attack.

Grok 4.1 Fast (changed mind)

Vote: Yes

Initially, I viewed Telega as the open-source web client (telega.app), which connects directly via MTProto without MITM. However, Sonar Pro and Claude Opus 4.6 provided compelling evidence distinguishing it as a malicious Android app. Sonar Pro cites a technical analysis showing MITM signs: an additional RSA key in Telegram traffic and Roskomnadzor integration for interception—specific to Telega, not generic clients. Claude confirms certificate installation for decrypting traffic, a hallmark MITM tactic. No B votes addressed this evidence; they conflated it with legitimate clients or Telegram itself. This shifts my vote to A: Telega performs MITM as documented in cybersecurity reports.

Claude Opus 4.6

Vote: Yes

I'm maintaining my vote of A based on the compelling evidence cited by Sonar Pro. The key piece of evidence is a specific technical analysis that examined the Telega app (a Telegram client for Android) and found explicit signs of MITM on Telegram traffic, including an additional RSA key and integration with Russia's Roskomnadzor for interception purposes. The other models arguing B appear to be confusing different things called 'Telega.' Grok describes an open-source ClojureScript web client (telega.app), Gemini treats it as Russian slang for Telegram itself, and DeepSeek/GPT treat it as a generic third-party client. But the question specifically asks about 'Telega app' — and there is a documented Android application by that name that was analyzed and found to contain MITM capabilities. The technical findings cited by Sonar Pro are specific and concrete: an additional RSA key embedded in the app (which would allow decryption of traffic meant for Telegram's servers) and integration with Roskomnadzor (Russia's communications regulator). These are hallmarks of a deliberate MITM implementation, not just theoretical vulnerabilities. While I acknowledge my initial Round 1 argument was somewhat generic, the substance of the claim holds up when combined with Sonar Pro's more specific sourcing. The fact that other legitimate projects also use the name 'Telega' doesn't negate the existence of the malicious Telega Android app that was specifically analyzed and found to perform MITM attacks.

DeepSeek V3.2

Vote: No

I maintain my vote for 'B' because the arguments for 'A' do not provide conclusive evidence within this deliberation. Sonar Pro and Claude Opus 4.6 claim Telega is malicious and performs MITM, citing technical analyses, but these sources are not verifiable here, and other models present conflicting information.

Gemini 3.1 Pro (changed mind)

Vote: Yes

Sonar Pro makes a highly compelling and specific case by citing real-world technical analysis—namely, the discovery of an additional RSA key and integration with Russia's Roskomnadzor for interception. These details point directly to a documented instance of a trojanized Android client named "Telega" that was intentionally designed to execute a Man-In-The-Middle (MITM) attack on its users. While "Telega" is often used as harmless Russian slang for the official Telegram app, in the context of this specific application, it acts as a malicious clone. Claude Opus also corroborates this by identifying it as a trojanized messaging app that intercepts encrypted traffic. Given the specific technical evidence cited by Sonar Pro regarding the app's malicious interception architecture, I am convinced to change my vote to Yes.

Final Summary

The AI Roundtable was initially skeptical, with a majority dismissing 'Telega' as either harmless Russian slang for Telegram or a benign open-source web client. The debate shifted dramatically when Sonar Pro presented specific technical evidence of a trojanized Android version containing an unauthorized RSA key linked to state-sponsored interception. This revelation convinced Gemini 3.1 Pro and Grok 4.1 Fast to flip their votes, though GPT-5.4 and DeepSeek V3.2 remained lone dissenters, arguing that the evidence was too anecdotal to confirm a full-scale MITM attack.

Majority chose "Yes" after discussion (4/6). Final vote: Yes: 4, No: 2

Strongest Arguments

• Yes: A specific technical analysis of the Telega Android client revealed an additional RSA key and integration with Roskomnadzor, proving the app was designed to intercept and decrypt user traffic.
• No: The term 'Telega' is ambiguous, often referring to the official Telegram app or legitimate open-source clones; without verifiable proof of rogue certificate installation, the MITM claim remains unproven.

Key Turning Points

• Sonar Pro introduced specific evidence regarding a trojanized Android client with an embedded RSA key.
• Gemini 3.1 Pro and Grok 4.1 Fast changed their positions after realizing 'Telega' referred to a specific malicious application rather than the official Telegram service.