In the spring of 2026, Telegram was permanently blocked in Russia. Some people accepted it and switched to MAX. Others (the more stubborn ones) started looking for ways to continue using Durov’s app through third-party clients. The logic is clear: a Telegram mod offers the same capabilities as the original but works around restrictions. Seems like a perfect solution. Until recently… First, the Telega messenger came under suspicion — a fork that allegedly leaked data to VK servers. Now it turns out that many other Telegram clones can be more dangerous than they appear. And Nekogram is fresh proof of that.
Another dangerous Telegram client after the Telega messenger
What Is Nekogram
The Nekogram app is an unofficial Telegram client with extended features. Essentially, someone took Telegram’s open-source code, added features not available in the original, and released their own build. There are dozens of such forks: Forkgram, Nicegram, Fagram, Cherrygram. An alternative Telegram client is appealing because it can do more than the official app.
Nekogram’s features are both its main selling point and the reason for its popularity:
- support for up to eight accounts simultaneously;
- extensive interface customization;
- built-in translator;
- flexible notification and privacy settings;
- features that the official Telegram will add in a year or two, if ever.
It’s developed by a small team, the code is partially open-source, and the app is distributed through Google Play and third-party sources. Sounds like a reasonable choice for those who feel constrained by the official client.
What Was Found in Nekogram’s Code
The Telegram channel TechLeaksZone published a code analysis of the app, and the finding was unpleasant. In obfuscated files that weren’t made publicly available, researchers found a function they reconstructed under the name logNumberPhones. Put simply: it silently collected the user ID and phone number for every account authorized in the app (up to 8 simultaneously). The data was programmatically sent through 3 bots:
- @nekonotificationbot — Nekogram’s service bot, receiving automatic phone number dumps;
- @tgdb_search_bot — a clone of the OSINT bot “Eye of God”;
- @usinfobot — another tool for looking up people through open sources.
Additionally, a hardcoded secret key was found in the code, used as a prefix for the transmitted data. Apparently, it was needed for authentication with the bot’s backend. The app also always requested the account registration date. This is not a theory or speculation. This is code. And Nekogram is dangerous precisely because all of this worked silently, without notifying the user.
What Nekogram’s Developers Say
The team’s response turned out to be unexpectedly direct. Verbatim:
If the question is whether this is true — yes, phone numbers were sent to the bot.
No attempts to rephrase, no multi-page explanations. What follows is a statement that no phone number was stored anywhere or shared with third parties. Does Nekogram leak data beyond its own bot? This is officially denied, but it’s impossible to verify: the server side is closed, and the very fact of silent data collection already shows that the app was doing something behind the user’s back. Trusting such a developer at their word is a personal choice. I wouldn’t.
Should You Use Nekogram
Reviews of Nekogram after the publication split predictably. Some deleted the app that same day. Others accepted the developer’s explanation and stayed — saying the data didn’t go anywhere, so what’s the big deal. The latter group is understandable: MAX instead of Telegram isn’t a gift either, and choosing between two unpleasant options is always tough.
Better to steer clear of Nekogram
The official Telegram has years of reputation and a public privacy policy. Nekogram has an admission of silent phone number collection and an explanation along the lines of “well, we didn’t share them with anyone.” These are different weight classes.
If you need an unofficial Telegram client with extended features — look for projects with fully open-source code and transparent infrastructure, where the server can also be verified. Nekogram currently doesn’t fit that description.
