Cybersecurity researchers from ESET have warned of a recently-discovered vulnerability in the Android version of the popular instant messaging application Telegram.

The vulnerability allowed threat actors to deploy malware on the vulnerable devices, and apparently - it was being actively exploited for weeks.

A threat actor called Ancryno took to a Russian-speaking underground forum in early June 2024, to sell a zero-day exploit for Telegram versions 10.14.4 and older. This drew the attention of ESET’s experts, and when a proof-of-concept (PoC) was published, they picked up the malicious payload, analyzed it, and confirmed that it works.

Fake prompts

The vulnerability allowed threat actors to create malicious .APK files (Android installation packages) which, to the recipient, look like a video message. Since Telegram automatically downloads all multimedia, all the victim needs to do is open up the chat window to receive the payload. 

Users who disabled the automatic download of multimedia files need to tap on the received message once to trigger the download.

This leaves the problem of actually running the file, since the APK still needs to be installed. The hackers partially solved it by displaying a fake prompt that the video needs to be played in an external player. Accepting this prompt triggers another one which says that Telegram is barred from installing APK files. If the victim ignores all of these red flags, they will end up with the installed malware.

Further analyzing the threat actor’s infrastructure, ESET found two malicious payloads hosted online, one that pretends to be Avast Antivirus, and a fake “premium mod” for xHamster (a website with adult content).

The researchers reported their findings to Telegram’s developers, which came back with a patch on July 11. In its writeup, BleepingComputer points that the flaw was running wild for at least five weeks, giving crooks plenty of time to target Telegram users. 

The earliest patched version is v10.14.5. Telegram’s desktop app was never vulnerable.

Via BleepingComputer

More from TechRadar Pro



source https://www.techradar.com/pro/security/a-dangerous-telegram-zero-day-could-have-left-users-open-to-attack-via-video