ESET cybersecurity researchers have warned about a recently discovered vulnerability in the Android version of the popular instant messaging app Telegram.
The vulnerability allowed threat actors to deploy malware on vulnerable devices and was apparently being actively exploited for weeks.
In early June 2024, a threat actor named Ancryno took to a Russian-speaking underground forum to sell a zero-day exploit for Telegram versions 10.14.4 and older. This caught the attention of ESET experts, and when a proof-of-concept (PoC) was published, they detected the malicious payload, analyzed it, and confirmed that it works.
Fake notices
The vulnerability allowed threat actors to create malicious APK files (Android installation packages) that look like a video message to the recipient. Since Telegram automatically downloads all media content, all the victim needs to do is open the chat window to receive the content.
Users who have disabled automatic download of media files will need to tap the received message once to activate the download.
This leaves the problem of running the file, as the APK still needs to be installed. The hackers partially solved this by displaying a fake message stating that the video needs to be played in an external player. Accepting this message triggers another one stating that Telegram is prohibited from installing APK files. If the victim ignores all these red flags, they will end up with the malware installed.
Further analyzing the threat actor’s infrastructure, ESET found two malicious payloads hosted online: one pretending to be Avast Antivirus and a fake “premium mod” for xHamster (a website featuring adult content).
The researchers reported their findings to Telegram developers, who responded with a patch on July 11. In its article, BleepingComputer notes that the flaw was active for at least five weeks, giving the criminals plenty of time to target Telegram users.
The first patched version is v10.14.5. Telegram's desktop app was never vulnerable.
Through Computer beeping
