No product is perfect. The more complex it becomes, the more vulnerabilities are waiting to be found.
Telegram, Messenger the popular privacy-focused messaging app, is the brainchild of Pavel Durov. And this time, a bug is found, and it can translate to catastrophe to anyone who encountered it.
Cybersecurity researchers from ESET have warned of a vulnerability in the Android version of the instant messaging app.
The vulnerability in question allowed threat actors to deploy malware on the vulnerable devices.
And worse, it was actively exploited for weeks.
According to the researchers at ESET in a website post, a threat actor called Ancryno took to a Russian-speaking underground forum in early June 2024, to sell a zero-day exploit for Telegram versions 10.14.4 and older.
This quickly caught the attention of the researchers at ESET, who then created a proof-of-concept (PoC), and analyzed the malicious payload it was hiding.
Here, they found that the bug allowed threat actors to create malicious APK files (Android installation packages). And when sent to targets, these files would appear like video messages.
Since Telegram defaults to automatically download all multimedia, all the victim needs to do is open up the chat window to receive the payload.
Users who disabled the automatic download of multimedia files had to tap on the received message once to download the malicious file.
While APK files are essentially harmless when downloaded, the hackers knew a workaround for this.
Hackers were creating fake prompts that would show up when users try to play the video. The prompt was to direct targets into opening the files in an external player.
Accepting this prompt would trigger another one which says that Telegram is barred from installing APK files.
If the victim ignores all of these red flags, they will end up with the malware installed on their phone.
The researchers at ESET found that the malware was having two malicious payloads, which are all hosted online.
The first one pretends to be Avast Antivirus, whereas the second poses as a fake "premium mod" for the adult website xHamster.
Upon finding the bug, the researchers reported their findings to Telegram’s developers, which then responded with a patch on July.
which came back with a patch on July 11. In its writeup, BleepingComputer points that the flaw was running wild for at least five weeks, giving crooks plenty of time to target Telegram users.
The earliest patched version is v10.14.5. Telegram’s desktop app was never vulnerable.