Cybersecurity researchers from ESET are warning about a recently discovered vulnerability in the Android version of the popular chat application Telegram.
The vulnerability allowed malicious parties to install malware on vulnerable devices, and was apparently actively exploited for weeks.
A threat actor called Ancryno took to a Russian-language underground forum in early June 2024 to sell a zero-day exploit for Telegram versions 10.14. 4 and older. This caught the attention of ESET’s experts, and when a proof-of-concept (PoC) was published, they captured the malicious payload, analyzed it, and confirmed that it worked.
Fake Prompts
The vulnerability allowed threat actors to create malicious .APK files (Android installation packages) that appear to the recipient as a video message. Since Telegram automatically downloads all multimedia, the victim only needs to open the chat window to receive the payload.
Users who have disabled automatic downloading of multimedia files will need to tap once on the received message to activate the download.
This leaves the issue of actually running the file, as the APK still needs to be installed. The hackers have partially solved this by displaying a fake prompt that the video needs to be played in an external player. Accepting this prompt triggers another prompt that says Telegram is not allowed to install APK files. If the victim ignores all these red flags, they end up with the malware installed.
Upon further analysis of the attacker’s infrastructure, ESET found two malicious payloads hosted online: one impersonating Avast Antivirus and a fake ‘premium mod’ for xHamster (an adult content website).
The researchers reported their findings to Telegram’s developers, who released a patch on July 11. BleepingComputer’s report notes that the flaw had been active for at least five weeks, giving criminals ample time to target Telegram users.
The first patched version is v10.14.5. Telegram desktop app was never vulnerable.
Through BleepingComputer