A dangerous zero-day could have left Telegram users open to attack via video

(Image credit: unsplash)

Cybersecurity researchers from ESET have warned of a recently-discovered vulnerability targeting Telegram users.

The vulnerability allowed threat actors to deploy malware on the vulnerable devices, and had apparently been actively exploited for weeks.

A threat actor called Ancryno took to a Russian-speaking underground forum in early June 2024, to sell a zero-day exploit for Telegram versions 10.14.4 and older. This drew the attention of ESET’s experts, and when a proof-of-concept (PoC) was published, they picked up the malicious payload, analyzed it, and confirmed that it works.

Fake prompts

The vulnerability allowed threat actors to create malicious .APK files (Android installation packages) which, to the recipient, look like a video message. Since Telegram automatically downloads all multimedia, all the victim needs to do is open up the chat window to receive the payload.

Users who disabled the automatic download of multimedia files need to tap on the received message once to trigger the download.

This leaves the problem of actually running the file, since the APK still needs to be installed. The hackers partially solved it by displaying a fake prompt that the video needs to be played in an external player. Accepting this prompt triggers another one which says that Telegram is barred from installing APK files. If the victim ignores all of these red flags, they will end up with the installed malware.

Further analyzing the threat actor’s infrastructure, ESET found two malicious payloads hosted online, one that pretends to be Avast Antivirus, and a fake “premium mod” for xHamster (a website with adult content).

The researchers reported their findings to Telegram’s developers, which came back with a patch on July 11. In its writeup, BleepingComputer points that the flaw was running wild for at least five weeks, giving crooks plenty of time to target Telegram users.

The earliest patched version is v10.14.5. Telegram’s desktop app was never vulnerable.

A Telegram spokesperson has tol TechRadar Pro, "This exploit is not a vulnerability in Telegram. It would have required users to open the video, adjust Android safety settings and then manually install a suspicious-looking "media app".

We received a report about this exploit on July 5th and a server-side fix was deployed on July 9th to protect users on all versions of Telegram."

Via BleepingComputer

More from TechRadar Pro

Telegram had some major security vulnerabilities
Here's a list of the best malware removal tools around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.