What the hell is Zangi?

It's being recommended by Google Play Store, no one outside of TikTok seems to talk about it but when people talk about it outside of the video app, they talk about being contacted by scammers.

(I really don't know what to do with this blog anymore, now that I'm trying to avoid the AI hellscape and keep most of my stuff on Geminispace.)

Right off the bat, Zangi is yet-another-E2EE messenger from, apparently, Santa Clara (or Union City, CA, according to its App Store listing) that seemingly popped out of nowhere. It's seen more than 10 million downloads on Google Play Store alone, also is among the most popular apps on Apple's German App Store and most reviewers largely praise it.

Considering I've been testing a variety of messengers for a while and do keep up with the recommendations issued by tech magazines and tech bloggers, none of them are even aware of Zangi's existence, which should be the first red flag.

Secondly, it appears to exclusively be promoted via TikTok and within some corners of Instagram, largely via direct messages. As far as my Reddit research goes, it is largely used by scammers and the team behind Zangi ensures to not offer any kind of customer support besides a single Email address. They claim to rely on “5G technology” to provide video calls, even though 5G is irrelevant when accessing anything on the internet via Ethernet or WiFi (and I personally haven't seen a single server that is not connected to the internet via a considerable amount of Ethernet spaghetti). Not surprising is the lack of security audits and more funny claims such as:

  1. Encrypted proprietary handshaking mechanism

Used for encrypting authorization and session key exchange (encryption algorithms: RSA-2048).

  1. Dynamic channel encryption

Used for encrypting each session between the client apps and the server ensuring the security of data transport (encryption algorithms: ​RSA-2048, AES-GCM)

  1. End-to-End encryption.

Encryption keys exist only on user devices and nowhere else (encryption algorithms: AES-256, Curve25519, ECDH, HMAC-​SHA256).

RSA-2048 has been public domain since September, 2001 and is widely used as an encryption algorithm for public key exchanges (the key you end up sharing with your contacts in this case). Due to its perceived slowness, it's not used to encrypt the vast amount of user data – something even Zangi is, at the very least, aware of. But this doesn't make Zangi any more noteworthy than Signal, Threema, or even smaller IM's such as Session, Delta Chat, the Tor-based Briar or, hell, Tox.

What's especially suspicious is the fact that Zangi markets itself as not relying on phone numbers, yet pretty requires one to “sync contacts”.

There's so much more that makes little sense and is just outright contradictory that make Zangi appear like the spiritual successor to EncroChat, though EncroChat couldn't be used outside of devices flashed with a custom Android ROM named “EncroChat OS”.

Or it's a honeypot. That would explain why the largest app stores are even promoting it.

But not its status as a Statement & Designation By Foreign Corporation, which also reveals that Zangi is run by two Armenians that obfuscate their actual HQ location.

Don't touch it. Use Delta Chat instead[1].

[1] I recently got followed by “Holga”, one of the main devs behind this Email-based messenger, and due to my interest in anything retro kindly started to message me privately on Delta Chat. And almost immediately got into DC's tiny web apps. He loves his stuff, he'll bombard you with all the technical details, his service is honest to a fault. It's a tiny project but it's safer than Zangi.