Technology

A dangerous Telegram zero-day could have left users open to attack via video

July 23, 2024

Cybersecurity researchers from ESET have warned of a recently-discovered vulnerability in the Android version of the popular instant messaging application Telegram.

The vulnerability allowed threat actors to deploy malware on the vulnerable devices, and apparently – it was being actively exploited for weeks.

A threat actor called Ancryno took to a Russian-speaking underground forum in early June 2024, to sell a zero-day exploit for Telegram versions 10.14.4 and older. This drew the attention of ESET’s experts, and when a proof-of-concept (PoC) was published, they picked up the malicious payload, analyzed it, and confirmed that it works.

Fake prompts

The vulnerability allowed threat actors to create malicious .APK files (Android installation packages) which, to the recipient, look like a video message. Since Telegram automatically downloads all multimedia, all the victim needs to do is open up the chat window to receive the payload.

Users who disabled the automatic download of multimedia files need to tap on the received message once to trigger the download.

This leaves the problem of actually running the file, since the APK still needs to be installed. The hackers partially solved it by displaying a fake prompt that the video needs to be played in an external player. Accepting this prompt triggers another one which says that Telegram is barred from installing APK files. If the victim ignores all of these red flags, they will end up with the installed malware.

Further analyzing the threat actor’s infrastructure, ESET found two malicious payloads hosted online, one that pretends to be Avast Antivirus, and a fake “premium mod” for xHamster (a website with adult content).

The researchers reported their findings to Telegram’s developers, which came back with a patch on July 11. In its writeup, BleepingComputer points that the flaw was running wild for at least five weeks, giving crooks plenty of time to target Telegram users.

The earliest patched version is v10.14.5. Telegram’s desktop app was never vulnerable.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar