According to Russian cybersecurity firm Kaspersky Labs, hackers have been using a zero-day exploit in Telegram to infect its users with a cryptocurrency-mining malware, so as to mine privacy-centric cryptocurrencies like Monero, Zcash, and others. Only Telegram’s desktop app was targeted.
The attack is the latest case of an ongoing cryptojacking trend that recently saw hackers hijack millions of Android devices to mine Monero. The trend seemingly picked up when popular torrent-index website The Pirate Bay experimented mining Monero with user’s PCs as an alternative to running ads.
Per the cybersecurity firm’s report, hackers have been exploiting the vulnerability since March 2017. To infect users, cybercriminals took advantage of a feature that allows Telegram to recognize text in Arabic and Hebrew, languages written from right to left.
Join CCN for $9.99 per month and get an ad-free version of CCN including discounts for future events and services. Support our journalists today. Click here to sign up.
Hackers used a hidden character in the feature that reversed the order of the characters, effectively allowing them to rename files. This way, they tricked users into installing files with malware in it, that then used their computers to mine cryptocurrencies, and potentially gave them backdoor access to the victim’s machine. In one case, researchers found archives containing a Telegram local cache stolen from a victim.
The post reads:
“After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools.
Kaspersky noted that the malicious software was only found in Russia, and that clues in the code pointed to Russian cybercriminals. It added that Telegram wasn’t the only vulnerable messaging app, as last month it found an exploit in WhatsApp that allowed criminals to steal messages.
The Russian firm contacted Telegram on the issue back in October, and by November the problem was reportedly fixed. On a technical channel, Telegram clarified the attack was a form of social engineering, and that it only worked if the user downloaded the malicious file.
Pavel Durov, the company’s founder, noted that this isn’t a “real vulnerability on Telegram Desktop,” as no one can remotely access another user’s computer or Telegram unless the file was opened. Per Durov, reports like these should be carefully examined.
“As always, reports from antivirus companies must be taken a grain of salt, as they tend to exaggerate the severity of their findings to get publicity in mass media.”
As covered by CCN, Telegram is working on a potentially record-setting ICO that could raise billions. The project aims to create “Gram,” a cryptocurrency that will function as the native currency of the Telegram Open Network (TON), which will be integrated directly into the Telegram platform, which is set to hit 200 million users in the first quarter of this year.
Featured image from Shutterstock.